TomFrost#92 Evaluator should not have access to objects' prototypes o…

…r invoke Javascript functions
elsci-io · Jun 18, 2021 · 80fa1d5 · 80fa1d5
1 parent f6fbd50
commit 80fa1d5
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/__tests__/lib/evaluator/Evaluator.test.js b/__tests__/lib/evaluator/Evaluator.test.js
@@ -223,4 +223,26 @@ describe('Evaluator', () => {
     const e = new Evaluator(grammar, context)
     await expect(e.eval(toTree(expr))).resolves.toBe(false)
   })
+  it('evaluator can access only to properties owned by context object', async () => {
+    const expr = '"".toLowerCase["__proto__"]'
+    const e = new Evaluator(grammar)
+    await expect(e.eval(toTree(expr))).rejects.toThrow(Error)
+  })
+  it('evaluator should not call any functions', async () => {
+    delete Object.prototype.valueOf
+    String.prototype.test = () => 'called'
+    const expr = '"got " + { valueOf: "".test }'
+    const e = new Evaluator(grammar)
+    await expect(e.eval(toTree(expr))).resolves.toBe('got [object Object]')
+  })
+  it('evaluator should not call any functions2', async () => {
+    String.prototype.test = () => {
+      throw new Error()
+    }
+    const expr = '{ then: "".test }'
+    const e = new Evaluator(grammar)
+    await expect(e.eval(toTree(expr))).resolves.toStrictEqual({
+      then: undefined
+    })
+  })
 })
diff --git a/lib/evaluator/handlers.js b/lib/evaluator/handlers.js
@@ -106,6 +106,9 @@ exports.Identifier = function (ast) {
     if (Array.isArray(context)) {
       context = context[0]
     }
+    if (!context.hasOwnProperty(ast.value)) {
+      return undefined
+    }
     return context[ast.value]
   })
 }