From 4cac9ec52e4127bcfa1f93798cd121a56387eb68 Mon Sep 17 00:00:00 2001 From: jordanarldt Date: Tue, 23 Jul 2024 10:27:21 -0500 Subject: [PATCH] fix(storefront): STRF-12281 Prevent block and partial helpers from being named prototype methods --- helpers/block.js | 6 ++++++ helpers/partial.js | 6 ++++++ spec/helpers/block.js | 14 ++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/helpers/block.js b/helpers/block.js index 612707b..39890b8 100644 --- a/helpers/block.js +++ b/helpers/block.js @@ -10,6 +10,12 @@ const factory = globals => { globals.getLogger().info("Non-string passed to block helper"); return ''; } + + if (Object.getOwnPropertyNames(Object.prototype).includes(name)) { + globals.getLogger().info(`Invalid name '${name}' passed to the partial helper. Returning empty string.`); + return ''; + } + const options = arguments[arguments.length - 1]; /* Look for partial by name. */ diff --git a/helpers/partial.js b/helpers/partial.js index cc5c38e..ab68c40 100644 --- a/helpers/partial.js +++ b/helpers/partial.js @@ -10,6 +10,12 @@ const factory = globals => { globals.getLogger().info("Non-string passed to partial helper"); return ''; } + + if (Object.getOwnPropertyNames(Object.prototype).includes(name)) { + globals.getLogger().info(`Invalid name '${name}' passed to the partial helper. Returning empty string.`); + return ''; + } + const options = arguments[arguments.length - 1]; globals.handlebars.registerPartial(name, options.fn); }; diff --git a/spec/helpers/block.js b/spec/helpers/block.js index c89e419..fcc99ab 100644 --- a/spec/helpers/block.js +++ b/spec/helpers/block.js @@ -74,4 +74,18 @@ describe('partial and block helpers', function () { done(); }); }); + + it('should return empty string if using a reserved object property name', function (done) { + const templates = { + template: '{{#partial "__proto__"}}Page partial content.{{/partial}}{{> layout}}', + layout: '{{#block "constructor"}}{{/block}}', + }; + + const context = {}; + + render('template', context, {}, {}, templates).then(result => { + expect(result).to.equal(''); + done(); + }); + }); });