|
19 | 19 |
|
20 | 20 | /** Error message constants. */ |
21 | 21 | var CORE_ERROR_TEXT = 'Unsupported core-js use. Try https://npms.io/search?q=ponyfill.', |
22 | | - FUNC_ERROR_TEXT = 'Expected a function'; |
| 22 | + FUNC_ERROR_TEXT = 'Expected a function', |
| 23 | + INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`'; |
23 | 24 |
|
24 | 25 | /** Used to stand-in for `undefined` hash values. */ |
25 | 26 | var HASH_UNDEFINED = '__lodash_hash_undefined__'; |
|
165 | 166 | /** Used to match words composed of alphanumeric characters. */ |
166 | 167 | var reAsciiWord = /[^\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]+/g; |
167 | 168 |
|
| 169 | + /** |
| 170 | + * Used to validate the `validate` option in `_.template` variable. |
| 171 | + * |
| 172 | + * Forbids characters which could potentially change the meaning of the function argument definition: |
| 173 | + * - "()," (modification of function parameters) |
| 174 | + * - "=" (default value) |
| 175 | + * - "[]{}" (destructuring of function parameters) |
| 176 | + * - "/" (beginning of a comment) |
| 177 | + * - whitespace |
| 178 | + */ |
| 179 | + var reForbiddenIdentifierChars = /[()=,{}\[\]\/\s]/; |
| 180 | + |
168 | 181 | /** Used to match backslashes in property paths. */ |
169 | 182 | var reEscapeChar = /\\(\\)?/g; |
170 | 183 |
|
|
14866 | 14879 | if (!variable) { |
14867 | 14880 | source = 'with (obj) {\n' + source + '\n}\n'; |
14868 | 14881 | } |
| 14882 | + // Throw an error if a forbidden character was found in `variable`, to prevent |
| 14883 | + // potential command injection attacks. |
| 14884 | + else if (reForbiddenIdentifierChars.test(variable)) { |
| 14885 | + throw new Error(INVALID_TEMPL_VAR_ERROR_TEXT); |
| 14886 | + } |
| 14887 | + |
14869 | 14888 | // Cleanup code by stripping empty strings. |
14870 | 14889 | source = (isEvaluating ? source.replace(reEmptyStringLeading, '') : source) |
14871 | 14890 | .replace(reEmptyStringMiddle, '$1') |
|
0 commit comments