Merge branch 'template-variable-parameter'

Author: jgonggrijp

docs/modules/_setup.html

@@ -850,7 +850,7 @@ <h1>_setup.js</h1>
 
             </div>
 
-            <div class="content"><div class='highlight'><pre><span class="hljs-keyword">export</span> <span class="hljs-keyword">var</span> VERSION = <span class="hljs-string">'1.12.0'</span>;</pre></div></div>
+            <div class="content"><div class='highlight'><pre><span class="hljs-keyword">export</span> <span class="hljs-keyword">var</span> VERSION = <span class="hljs-string">'1.12.1'</span>;</pre></div></div>
 
         </li>
 

docs/modules/debounce.html

@@ -850,7 +850,7 @@ <h1>debounce.js</h1>
             </div>
 
             <div class="content"><div class='highlight'><pre><span class="hljs-keyword">import</span> restArguments <span class="hljs-keyword">from</span> <span class="hljs-string">'./restArguments.js'</span>;
-<span class="hljs-keyword">import</span> delay <span class="hljs-keyword">from</span> <span class="hljs-string">'./delay.js'</span>;</pre></div></div>
+<span class="hljs-keyword">import</span> now <span class="hljs-keyword">from</span> <span class="hljs-string">'./now.js'</span>;</pre></div></div>
 
         </li>
 
@@ -869,29 +869,47 @@ <h1>debounce.js</h1>
             </div>
 
             <div class="content"><div class='highlight'><pre><span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">debounce</span>(<span class="hljs-params">func, wait, immediate</span>) </span>{
-  <span class="hljs-keyword">var</span> timeout, result;
+  <span class="hljs-keyword">var</span> timeout, previous, args, result, context;
 
-  <span class="hljs-keyword">var</span> later = <span class="hljs-function"><span class="hljs-keyword">function</span>(<span class="hljs-params">context, args</span>) </span>{
-    timeout = <span class="hljs-literal">null</span>;
-    <span class="hljs-keyword">if</span> (args) result = func.apply(context, args);
+  <span class="hljs-keyword">var</span> later = <span class="hljs-function"><span class="hljs-keyword">function</span>(<span class="hljs-params"></span>) </span>{
+    <span class="hljs-keyword">var</span> passed = now() - previous;
+    <span class="hljs-keyword">if</span> (wait &gt; passed) {
+      timeout = <span class="hljs-keyword">set</span><span class="hljs-title">Timeout</span>(<span class="hljs-params">later, wait - passed</span>);
+    } <span class="hljs-title">else</span> {
+      timeout = <span class="hljs-literal">null</span>;
+      <span class="hljs-keyword">if</span> (!immediate) result = func.apply(context, args);</pre></div></div>
+            
+        </li>
+        
+        
+        <li id="section-3">
+            <div class="annotation">
+              
+              <div class="pilwrap ">
+                <a class="pilcrow" href="#section-3">&#182;</a>
+              </div>
+              <p>This check is needed because <code>func</code> can recursively invoke <code>debounced</code>.</p>
+
+            </div>
+            
+            <div class="content"><div class='highlight'><pre>      <span class="hljs-keyword">if</span> (!timeout) args = context = <span class="hljs-literal">null</span>;
+    }
   };
 
-  <span class="hljs-keyword">var</span> debounced = restArguments(<span class="hljs-function"><span class="hljs-keyword">function</span>(<span class="hljs-params">args</span>) </span>{
-    <span class="hljs-keyword">if</span> (timeout) clearTimeout(timeout);
-    <span class="hljs-keyword">if</span> (immediate) {
-      <span class="hljs-keyword">var</span> callNow = !timeout;
+  <span class="hljs-keyword">var</span> debounced = restArguments(<span class="hljs-function"><span class="hljs-keyword">function</span>(<span class="hljs-params">_args</span>) </span>{
+    context = <span class="hljs-keyword">this</span>;
+    args = _args;
+    previous = now();
+    <span class="hljs-keyword">if</span> (!timeout) {
       timeout = <span class="hljs-keyword">set</span><span class="hljs-title">Timeout</span>(<span class="hljs-params">later, wait</span>);
-      <span class="hljs-title">if</span> (<span class="hljs-params">callNow</span>) <span class="hljs-title">result</span> = <span class="hljs-title">func</span>.<span class="hljs-title">apply</span>(<span class="hljs-params">this, args</span>);
-    } <span class="hljs-title">else</span> {
-      timeout = delay(later, wait, <span class="hljs-keyword">this</span>, args);
+      <span class="hljs-title">if</span> (<span class="hljs-params">immediate</span>) <span class="hljs-title">result</span> = <span class="hljs-title">func</span>.<span class="hljs-title">apply</span>(<span class="hljs-params">context, args</span>);
     }
-
-    <span class="hljs-keyword">return</span> result;
+    <span class="hljs-title">return</span> <span class="hljs-title">result</span>;
   });
 
-  debounced.cancel = <span class="hljs-function"><span class="hljs-keyword">function</span>(<span class="hljs-params"></span>) </span>{
+  <span class="hljs-title">debounced</span>.<span class="hljs-title">cancel</span> = <span class="hljs-title">function</span>() {
     clearTimeout(timeout);
-    timeout = <span class="hljs-literal">null</span>;
+    timeout = args = context = <span class="hljs-literal">null</span>;
   };
 
   <span class="hljs-keyword">return</span> debounced;

docs/modules/index.html

@@ -865,7 +865,7 @@ <h1 id="named-exports">Named Exports</h1>
               <div class="pilwrap ">
                 <a class="pilcrow" href="#section-3">&#182;</a>
               </div>
-              <pre><code>Underscore.js <span class="hljs-number">1.12</span><span class="hljs-number">.0</span>
+              <pre><code>Underscore.js <span class="hljs-number">1.12</span><span class="hljs-number">.1</span>
 <span class="hljs-attr">https</span>:<span class="hljs-comment">//underscorejs.org</span>
 (c) <span class="hljs-number">2009</span><span class="hljs-number">-2020</span> Jeremy Ashkenas, DocumentCloud and Investigative Reporters &amp; Editors
 Underscore may be freely distributed under the MIT license.</code></pre>

docs/modules/template.html

@@ -897,7 +897,9 @@ <h1>template.js</h1>
 
 <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">escapeChar</span>(<span class="hljs-params">match</span>) </span>{
   <span class="hljs-keyword">return</span> <span class="hljs-string">'\\'</span> + escapes[match];
-}</pre></div></div>
+}
+
+<span class="hljs-keyword">var</span> bareIdentifier = <span class="hljs-regexp">/^\s*(\w|\$)+\s*$/</span>;</pre></div></div>
 
         </li>
 
@@ -980,7 +982,12 @@ <h1>template.js</h1>
 
             <div class="content"><div class='highlight'><pre>    <span class="hljs-keyword">return</span> match;
   });
-  source += <span class="hljs-string">"';\n"</span>;</pre></div></div>
+  source += <span class="hljs-string">"';\n"</span>;
+
+  <span class="hljs-keyword">var</span> argument = settings.variable;
+  <span class="hljs-keyword">if</span> (argument) {
+    <span class="hljs-keyword">if</span> (!bareIdentifier.test(argument)) <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(argument);
+  } <span class="hljs-keyword">else</span> {</pre></div></div>
 
         </li>
 
@@ -995,15 +1002,17 @@ <h1>template.js</h1>
 
             </div>
 
-            <div class="content"><div class='highlight'><pre>  <span class="hljs-keyword">if</span> (!settings.variable) source = <span class="hljs-string">'with(obj||{}){\n'</span> + source + <span class="hljs-string">'}\n'</span>;
+            <div class="content"><div class='highlight'><pre>    source = <span class="hljs-string">'with(obj||{}){\n'</span> + source + <span class="hljs-string">'}\n'</span>;
+    argument = <span class="hljs-string">'obj'</span>;
+  }
 
   source = <span class="hljs-string">"var __t,__p='',__j=Array.prototype.join,"</span> +
     <span class="hljs-string">"print=function(){__p+=__j.call(arguments,'');};\n"</span> +
     source + <span class="hljs-string">'return __p;\n'</span>;
 
   <span class="hljs-keyword">var</span> render;
   <span class="hljs-keyword">try</span> {
-    render = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Function</span>(settings.variable || <span class="hljs-string">'obj'</span>, <span class="hljs-string">'_'</span>, source);
+    render = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Function</span>(argument, <span class="hljs-string">'_'</span>, source);
   } <span class="hljs-keyword">catch</span> (e) {
     e.source = source;
     <span class="hljs-keyword">throw</span> e;
@@ -1026,8 +1035,7 @@ <h1>template.js</h1>
 
             </div>
 
-            <div class="content"><div class='highlight'><pre>  <span class="hljs-keyword">var</span> argument = settings.variable || <span class="hljs-string">'obj'</span>;
-  template.source = <span class="hljs-string">'function('</span> + argument + <span class="hljs-string">'){\n'</span> + source + <span class="hljs-string">'}'</span>;
+            <div class="content"><div class='highlight'><pre>  template.source = <span class="hljs-string">'function('</span> + argument + <span class="hljs-string">'){\n'</span> + source + <span class="hljs-string">'}'</span>;
 
   <span class="hljs-keyword">return</span> template;
 }</pre></div></div>

docs/underscore-esm.html

@@ -186,7 +186,7 @@
   <div id="sidebar" class="interface">
 
     <a class="toc_title" href="#">
-      Underscore.js <span class="version">(1.12.0)</span>
+      Underscore.js <span class="version">(1.12.1)</span>
     </a>
     <ul class="toc_section">
       <li>&raquo; <a href="https://github.com/jashkenas/underscore">GitHub Repository</a></li>
@@ -476,7 +476,7 @@
       <i>Underscore is an open-source component of <a href="https://documentcloud.org/">DocumentCloud</a>.</i>
     </p>
 
-    <h2>v1.12.0 Downloads <i style="padding-left: 12px; font-size:12px;">(Right-click, and use "Save As")</i></h2>
+    <h2>v1.12.1 Downloads <i style="padding-left: 12px; font-size:12px;">(Right-click, and use "Save As")</i></h2>
 
     <table>
       <tr>
@@ -520,32 +520,32 @@ <h2>v1.12.0 Downloads <i style="padding-left: 12px; font-size:12px;">(Right-clic
       </tr>
     </table>
 
-    <h2>v1.12.0 CDN URLs <i style="padding-left: 12px; font-size:12px;">(Use with <tt>&lt;script src="..."&gt;&lt;/script&gt;</tt>)</i></h2>
+    <h2>v1.12.1 CDN URLs <i style="padding-left: 12px; font-size:12px;">(Use with <tt>&lt;script src="..."&gt;&lt;/script&gt;</tt>)</i></h2>
 
     <ul>
       <li>
-        <tt>https://cdn.jsdelivr.net/npm/underscore@1.12.0/underscore-min.js</tt>
+        <tt>https://cdn.jsdelivr.net/npm/underscore@1.12.1/underscore-min.js</tt>
       </li>
       <li>
-        <tt>https://cdn.jsdelivr.net/npm/underscore@1.12.0/underscore-esm-min.js</tt>
+        <tt>https://cdn.jsdelivr.net/npm/underscore@1.12.1/underscore-esm-min.js</tt>
       </li>
       <li>
-        <tt>https://unpkg.com/underscore@1.12.0/underscore-min.js</tt>
+        <tt>https://unpkg.com/underscore@1.12.1/underscore-min.js</tt>
       </li>
       <li>
-        <tt>https://unpkg.com/underscore@1.12.0/underscore-esm-min.js</tt>
+        <tt>https://unpkg.com/underscore@1.12.1/underscore-esm-min.js</tt>
       </li>
       <li>
-        <tt>https://pagecdn.io/lib/underscore/1.12.0/underscore-min.js</tt>
+        <tt>https://pagecdn.io/lib/underscore/1.12.1/underscore-min.js</tt>
       </li>
       <li>
-        <tt>https://pagecdn.io/lib/underscore/1.12.0/underscore-esm-min.js</tt>
+        <tt>https://pagecdn.io/lib/underscore/1.12.1/underscore-esm-min.js</tt>
       </li>
       <li>
-        <tt>https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.12.0/underscore-min.js</tt>
+        <tt>https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.12.1/underscore-min.js</tt>
       </li>
       <li>
-        <tt>https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.12.0/underscore-esm-min.js</tt>
+        <tt>https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.12.1/underscore-esm-min.js</tt>
       </li>
     </ul>
 
@@ -2705,6 +2705,27 @@ <h2 id="notes">Notes</h2>
 
       <h2 id="changelog">Change Log</h2>
 
+      <p id="1.12.1">
+        <b class="header">1.12.1</b> &mdash; <small><i>March 15, 2021</i></small><br />
+        <ul>
+          <li>
+            Fixes a security issue in <tt>_.template</tt> that could enable a
+            third party to inject code in compiled templates. This issue
+            affects all versions of Underscore between 1.3.2 and 1.12.0,
+            inclusive, as well as preview releases 1.13.0-0 and 1.13.0-1. The
+            fix in this release is also included in the parallel preview
+            release 1.13.0-2.
+          </li>
+          <li>
+            Restores an optimization in <tt>_.debounce</tt> that was
+            unintentionally lost in version 1.9.0.
+          </li>
+          <li>
+            Various test and documentation enhancements.
+          </li>
+        </ul>
+      </p>
+
       <p id="1.12.0">
         <b class="header">1.12.0</b> &mdash; <small><i>November 24, 2020</i></small> &mdash; <a href="https://github.com/jashkenas/underscore/compare/1.11.0...1.12.0">Diff</a> &mdash; <a href="https://cdn.statically.io/gh/jashkenas/underscore/1.12.0/index.html">Docs</a><br />
         <ul>

index.html

@@ -1,5 +1,5 @@
 // Current version.
-export var VERSION = '1.12.0';
+export var VERSION = '1.12.1';
 
 // Establish the root object, `window` (`self`) in the browser, `global`
 // on the server, or `this` in some virtual machines. We use `self`

modules/_setup.js

@@ -1,7 +1,7 @@
 // Named Exports
 // =============
 
-//     Underscore.js 1.12.0
+//     Underscore.js 1.12.1
 //     https://underscorejs.org
 //     (c) 2009-2020 Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
 //     Underscore may be freely distributed under the MIT license.

modules/index.js

@@ -24,6 +24,8 @@ function escapeChar(match) {
   return '\\' + escapes[match];
 }
 
+var bareIdentifier = /^\s*(\w|\$)+\s*$/;
+
 // JavaScript micro-templating, similar to John Resig's implementation.
 // Underscore templating handles arbitrary delimiters, preserves whitespace,
 // and correctly escapes quotes within interpolated code.
@@ -59,16 +61,22 @@ export default function template(text, settings, oldSettings) {
   });
   source += "';\n";
 
-  // If a variable is not specified, place data values in local scope.
-  if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
+  var argument = settings.variable;
+  if (argument) {
+    if (!bareIdentifier.test(argument)) throw new Error(argument);
+  } else {
+    // If a variable is not specified, place data values in local scope.
+    source = 'with(obj||{}){\n' + source + '}\n';
+    argument = 'obj';
+  }
 
   source = "var __t,__p='',__j=Array.prototype.join," +
     "print=function(){__p+=__j.call(arguments,'');};\n" +
     source + 'return __p;\n';
 
   var render;
   try {
-    render = new Function(settings.variable || 'obj', '_', source);
+    render = new Function(argument, '_', source);
   } catch (e) {
     e.source = source;
     throw e;
@@ -79,7 +87,6 @@ export default function template(text, settings, oldSettings) {
   };
 
   // Provide the compiled source as a convenience for precompilation.
-  var argument = settings.variable || 'obj';
   template.source = 'function(' + argument + '){\n' + source + '}';
 
   return template;

modules/template.js

@@ -16,7 +16,7 @@
   },
   "main": "underscore.js",
   "module": "modules/index-all.js",
-  "version": "1.12.0",
+  "version": "1.12.1",
   "devDependencies": {
     "coveralls": "^2.11.2",
     "docco": "^0.8.0",

package-lock.json

@@ -465,19 +465,27 @@
     assert.strictEqual(template(), '<<\nx\n>>');
   });
 
-  QUnit.test('#2911 - _.template must not trigger CVE-2021-23337.', function(assert) {
-      QUnit.holyProperty = 'holy';
-      var invalidVariableNames = [
-          '){delete QUnit.holyProperty}; with(obj',
-          '(x = QUnit.holyProperty = "evil"), obj',
-          'document.write("got you!")'
-      ];
-      _.each(invalidVariableNames, function(name) {
-          assert.throws(function() { _.template('', { variable: name })(); });
-      });
-      var holy = QUnit.holyProperty;
-      delete QUnit.holyProperty;
-      assert.strictEqual(holy, 'holy');
+  QUnit.test('#2911 - _.templateSettings.variable must not allow third parties to inject code.', function(assert) {
+    QUnit.holyProperty = 'holy';
+    var invalidVariableNames = [
+      '){delete QUnit.holyProperty}; with(obj',
+      '(x = QUnit.holyProperty = "evil"), obj',
+      'document.write("got you!")',
+      'a = (function() { delete QUnit.holyProperty; }())',
+      'a = (QUnit.holyProperty = "evil")',
+      'a = document.write("got you!")'
+    ];
+    _.each(invalidVariableNames, function(name) {
+      _.templateSettings.variable = name;
+      assert.throws(function() {
+        _.template('')();
+      }, 'code injection through _.templateSettings.variable: ' + name);
+      delete _.templateSettings.variable;
+    });
+    var holy = QUnit.holyProperty;
+    delete QUnit.holyProperty;
+    assert.strictEqual(holy, 'holy', '_.template variable cannot touch global state');
+    assert.ok(_.isUndefined(_.templateSettings.variable), 'cleanup');
   });
 
 }());