From 85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4 Mon Sep 17 00:00:00 2001
From: Nils Knappmeier <github@knappi.org>
Date: Thu, 11 Apr 2019 17:46:27 +0200
Subject: [PATCH] fix: prevent RCE through the "lookup"-helper

- The "lookup" helper could also be used to run a remote code execution
  by manipulating the template. The same check as for regular
  path queries now also is done in the "lookup"-helper
---
 lib/handlebars/helpers/lookup.js | 8 +++++++-
 spec/security.js                 | 7 +++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/handlebars/helpers/lookup.js b/lib/handlebars/helpers/lookup.js
index a52e77a04..dcd585178 100644
--- a/lib/handlebars/helpers/lookup.js
+++ b/lib/handlebars/helpers/lookup.js
@@ -1,5 +1,11 @@
 export default function(instance) {
   instance.registerHelper('lookup', function(obj, field) {
-    return obj && obj[field];
+    if (!obj) {
+      return obj;
+    }
+    if (field === 'constructor' && !obj.propertyIsEnumerable(field)) {
+      return undefined;
+    }
+    return obj[field];
   });
 }
diff --git a/spec/security.js b/spec/security.js
index 12b96e629..4a7d83773 100644
--- a/spec/security.js
+++ b/spec/security.js
@@ -2,12 +2,16 @@ describe('security issues', function() {
     describe('GH-1495: Prevent Remote Code Execution via constructor', function() {
         it('should not allow constructors to be accessed', function() {
             shouldCompileTo('{{constructor.name}}', {}, '');
+            shouldCompileTo('{{lookup (lookup this "constructor") "name"}}', {}, '');
         });
 
         it('should allow the "constructor" property to be accessed if it is enumerable', function() {
             shouldCompileTo('{{constructor.name}}', {'constructor': {
                 'name': 'here we go'
             }}, 'here we go');
+            shouldCompileTo('{{lookup (lookup this "constructor") "name"}}', {'constructor': {
+                'name': 'here we go'
+            }}, 'here we go');
         });
 
         it('should allow prototype properties that are not constructors', function() {
@@ -23,6 +27,9 @@ describe('security issues', function() {
 
             shouldCompileTo('{{#with this as |obj|}}{{obj.abc}}{{/with}}',
                 new TestClass(), 'xyz');
+            shouldCompileTo('{{#with this as |obj|}}{{lookup obj "abc"}}{{/with}}',
+                new TestClass(), 'xyz');
+
         });
     });
 });