hogan.js Harden against prototype pollution.

This makes it more difficult for RCEs in other libraries to overwrite the prototype chain to manipulate Hogan, but also prevents authors from manipulating the prototype chain on purpose. I think the latter is rare enough that this change is worth it.

This first patch just fixes node.indent. See #274.

Dec 18 '21 22:12 sayrer

Well, I typoed this, but it does fix the pollution. Will fix.

Dec 18 '21 22:12 sayrer

Hi @sayrer, What do you think about that solution?

var context = Object.create(null, { 
  code: {
    value: "",
    writable: true,
    enumerable: true,
    configurable: true
  }, 
  subs: {
    value: Object.create(null),
    writable: true,
    enumerable: true,
    configurable: true
  }, 
  partials: {
    value: Object.create(null),
    writable: true,
    enumerable: true,
    configurable: true
  }
});

Dec 19 '21 18:12 ex1st

Hi @sayrer, What do you think about that solution?

It doesn't quite work, but that is another way.

Welcome to Node.js v17.2.0.
Type ".help" for more information.
> var context = Object.create(null, { 
...   code: {
.....     value: "",
.....     writable: true,
.....     enumerable: true,
.....     configurable: true
.....   }}); 
undefined
> context
[Object: null prototype] { code: '' }
> context.__proto__
undefined
> context.code.__proto__
{}
> context.code.__proto__.indent = "foo"
'foo'
> context.code.__proto__.indent
'foo'

Dec 19 '21 19:12 sayrer

It looks like I'll have to fix the test harness before I check this in, and your way will still break anyone relying on the prototype chain (probably unintentionally). But I'll see which one is cleaner in the end.

Dec 19 '21 19:12 sayrer

Also, another simple way - predefined empty prefix

var context = { code: '', subs: {}, partials: {}, prefix: '' };

Dec 20 '21 06:12 ex1st