Skip to content

Commit e5d3e96

Browse files
vassudanaguntavassudanagunta
committed
test: cover access control to prototype methods/properties on nested objects (#1858)
- per issue #1858 - adds cases for nested input objects to existing cases - very minor refactor to re-use the same test logic, keep tests readable.
1 parent a9fe6d5 commit e5d3e96

File tree

1 file changed

+40
-19
lines changed

1 file changed

+40
-19
lines changed

spec/security.js

Lines changed: 40 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,7 @@ describe('security issues', function() {
167167
TestClass.prototype.aMethod = function() {
168168
return 'returnValue';
169169
};
170+
TestClass.prototype.nested = new TestClass();
170171

171172
beforeEach(function() {
172173
handlebarsEnv.resetLoggedPropertyAccesses();
@@ -177,17 +178,25 @@ describe('security issues', function() {
177178
});
178179

179180
describe('control access to prototype methods via "allowedProtoMethods"', function() {
180-
checkProtoMethodAccess({});
181+
checkProtoMethodAccess('{{aMethod}}', {});
181182

182183
describe('in compat mode', function() {
183-
checkProtoMethodAccess({ compat: true });
184+
checkProtoMethodAccess('{{aMethod}}', { compat: true });
184185
});
185186

186-
function checkProtoMethodAccess(compileOptions) {
187+
describe('GH-1858: for nested object', function() {
188+
checkProtoMethodAccess('{{nested.aMethod}}', {});
189+
190+
describe('in compat mode', function() {
191+
checkProtoMethodAccess('{{nested.aMethod}}', { compat: true });
192+
});
193+
});
194+
195+
function checkProtoMethodAccess(template, compileOptions) {
187196
it('should be prohibited by default and log a warning', function() {
188197
var spy = sinon.spy(console, 'error');
189198

190-
expectTemplate('{{aMethod}}')
199+
expectTemplate(template)
191200
.withInput(new TestClass())
192201
.withCompileOptions(compileOptions)
193202
.toCompileTo('');
@@ -199,12 +208,12 @@ describe('security issues', function() {
199208
it('should only log the warning once', function() {
200209
var spy = sinon.spy(console, 'error');
201210

202-
expectTemplate('{{aMethod}}')
211+
expectTemplate(template)
203212
.withInput(new TestClass())
204213
.withCompileOptions(compileOptions)
205214
.toCompileTo('');
206215

207-
expectTemplate('{{aMethod}}')
216+
expectTemplate(template)
208217
.withInput(new TestClass())
209218
.withCompileOptions(compileOptions)
210219
.toCompileTo('');
@@ -216,7 +225,7 @@ describe('security issues', function() {
216225
it('can be allowed, which disables the warning', function() {
217226
var spy = sinon.spy(console, 'error');
218227

219-
expectTemplate('{{aMethod}}')
228+
expectTemplate(template)
220229
.withInput(new TestClass())
221230
.withCompileOptions(compileOptions)
222231
.withRuntimeOptions({
@@ -232,7 +241,7 @@ describe('security issues', function() {
232241
it('can be turned on by default, which disables the warning', function() {
233242
var spy = sinon.spy(console, 'error');
234243

235-
expectTemplate('{{aMethod}}')
244+
expectTemplate(template)
236245
.withInput(new TestClass())
237246
.withCompileOptions(compileOptions)
238247
.withRuntimeOptions({
@@ -246,7 +255,7 @@ describe('security issues', function() {
246255
it('can be turned off by default, which disables the warning', function() {
247256
var spy = sinon.spy(console, 'error');
248257

249-
expectTemplate('{{aMethod}}')
258+
expectTemplate(template)
250259
.withInput(new TestClass())
251260
.withCompileOptions(compileOptions)
252261
.withRuntimeOptions({
@@ -258,7 +267,7 @@ describe('security issues', function() {
258267
});
259268

260269
it('can be turned off, if turned on by default', function() {
261-
expectTemplate('{{aMethod}}')
270+
expectTemplate(template)
262271
.withInput(new TestClass())
263272
.withCompileOptions(compileOptions)
264273
.withRuntimeOptions({
@@ -292,21 +301,33 @@ describe('security issues', function() {
292301
});
293302

294303
describe('control access to prototype non-methods via "allowedProtoProperties" and "allowProtoPropertiesByDefault', function() {
295-
checkProtoPropertyAccess({});
304+
checkProtoPropertyAccess('{{aProperty}}', {});
296305

297306
describe('in compat-mode', function() {
298-
checkProtoPropertyAccess({ compat: true });
307+
checkProtoPropertyAccess('{{aProperty}}', { compat: true });
299308
});
300309

301310
describe('in strict-mode', function() {
302-
checkProtoPropertyAccess({ strict: true });
311+
checkProtoPropertyAccess('{{aProperty}}', { strict: true });
303312
});
304313

305-
function checkProtoPropertyAccess(compileOptions) {
314+
describe('GH-1858: for nested object', function() {
315+
checkProtoPropertyAccess('{{nested.aProperty}}', {});
316+
317+
describe('in compat-mode', function() {
318+
checkProtoPropertyAccess('{{nested.aProperty}}', { compat: true });
319+
});
320+
321+
describe('in strict-mode', function() {
322+
checkProtoPropertyAccess('{{nested.aProperty}}', { strict: true });
323+
});
324+
});
325+
326+
function checkProtoPropertyAccess(template, compileOptions) {
306327
it('should be prohibited by default and log a warning', function() {
307328
var spy = sinon.spy(console, 'error');
308329

309-
expectTemplate('{{aProperty}}')
330+
expectTemplate(template)
310331
.withInput(new TestClass())
311332
.withCompileOptions(compileOptions)
312333
.toCompileTo('');
@@ -318,7 +339,7 @@ describe('security issues', function() {
318339
it('can be explicitly prohibited by default, which disables the warning', function() {
319340
var spy = sinon.spy(console, 'error');
320341

321-
expectTemplate('{{aProperty}}')
342+
expectTemplate(template)
322343
.withInput(new TestClass())
323344
.withCompileOptions(compileOptions)
324345
.withRuntimeOptions({
@@ -332,7 +353,7 @@ describe('security issues', function() {
332353
it('can be turned on, which disables the warning', function() {
333354
var spy = sinon.spy(console, 'error');
334355

335-
expectTemplate('{{aProperty}}')
356+
expectTemplate(template)
336357
.withInput(new TestClass())
337358
.withCompileOptions(compileOptions)
338359
.withRuntimeOptions({
@@ -348,7 +369,7 @@ describe('security issues', function() {
348369
it('can be turned on by default, which disables the warning', function() {
349370
var spy = sinon.spy(console, 'error');
350371

351-
expectTemplate('{{aProperty}}')
372+
expectTemplate(template)
352373
.withInput(new TestClass())
353374
.withCompileOptions(compileOptions)
354375
.withRuntimeOptions({
@@ -360,7 +381,7 @@ describe('security issues', function() {
360381
});
361382

362383
it('can be turned off, if turned on by default', function() {
363-
expectTemplate('{{aProperty}}')
384+
expectTemplate(template)
364385
.withInput(new TestClass())
365386
.withCompileOptions(compileOptions)
366387
.withRuntimeOptions({

0 commit comments

Comments
 (0)