mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 04:37:34 +00:00
LibJS: Always taint parsing environment on call to eval()
We had an edge case where calls to eval() left the environment untainted *if* `eval` had also been declared as a local variable in the same parsing context. This broke the expected direct eval behavior when the variable `eval` was still pointing at the global `eval` function. This patch fixes the issue by simply always tainting the environment when a call to something named `eval` is encountered. It doesn't seem worth worrying about optimizing the case where someone is calling their own function named `eval`.. Fixes 1 test-js test in bytecode mode. :^)
This commit is contained in:
parent
c90bf22d29
commit
9054b1bc14
1 changed files with 2 additions and 13 deletions
|
@ -2230,19 +2230,8 @@ NonnullRefPtr<Expression const> Parser::parse_expression(int min_precedence, Ass
|
|||
|
||||
if (is<CallExpression>(*expression) && m_state.current_scope_pusher) {
|
||||
auto& callee = static_ptr_cast<CallExpression const>(expression)->callee();
|
||||
if (is<Identifier>(callee)) {
|
||||
auto& identifier_instance = static_cast<Identifier const&>(callee);
|
||||
if (identifier_instance.string() == "eval"sv) {
|
||||
bool has_not_been_declared_as_variable = true;
|
||||
for (auto scope = m_state.current_scope_pusher; scope; scope = scope->parent_scope()) {
|
||||
if (scope->has_declaration(identifier_instance.string())) {
|
||||
has_not_been_declared_as_variable = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (has_not_been_declared_as_variable)
|
||||
m_state.current_scope_pusher->set_contains_direct_call_to_eval();
|
||||
}
|
||||
if (is<Identifier>(callee) && static_cast<Identifier const&>(callee).string() == "eval"sv) {
|
||||
m_state.current_scope_pusher->set_contains_direct_call_to_eval();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue