fix(storefront): STRF-12281 Prevent block and partial helpers from be…

…ing named prototype methods (#317)

helpers/block.js

@@ -10,6 +10,12 @@ const factory = globals => {
             globals.getLogger().info("Non-string passed to block helper");
             return '';
         }
+
+        if (Object.getOwnPropertyNames(Object.prototype).includes(name)) {
+            globals.getLogger().info(`Invalid name '${name}' passed to the partial helper. Returning empty string.`);
+            return '';
+        }
+
         const options = arguments[arguments.length - 1];
 
         /* Look for partial by name. */

helpers/partial.js

@@ -10,6 +10,12 @@ const factory = globals => {
             globals.getLogger().info("Non-string passed to partial helper");
             return '';
         }
+
+        if (Object.getOwnPropertyNames(Object.prototype).includes(name)) {
+            globals.getLogger().info(`Invalid name '${name}' passed to the partial helper. Returning empty string.`);
+            return '';
+        }
+
         const options = arguments[arguments.length - 1];
         globals.handlebars.registerPartial(name, options.fn);
     };

spec/helpers/block.js

@@ -74,4 +74,18 @@ describe('partial and block helpers', function () {
             done();
         });
     });
+
+    it('should return empty string if using a reserved object property name', function (done) {
+        const templates = {
+            template: '{{#partial "__proto__"}}Page partial content.{{/partial}}{{> layout}}',
+            layout: '{{#block "constructor"}}{{/block}}',
+        };
+
+        const context = {};
+
+        render('template', context, {}, {}, templates).then(result => {
+            expect(result).to.equal('');
+            done();
+        });
+    });
 });