Skip to content

Commit d898026

Browse files
Nolan Varaniakroshg
Nolan Varani
authored and
akroshg
committed
[CVE-2020-0710] Prevent Yield/Await in parameter scope
1 parent 161c895 commit d898026

File tree

3 files changed

+25
-4
lines changed

3 files changed

+25
-4
lines changed

lib/Parser/Parse.cpp

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8378,17 +8378,15 @@ ParseNodePtr Parser::ParseExpr(int oplMin,
83788378
// binding operator, be it unary or binary.
83798379
Error(ERRsyntax);
83808380
}
8381-
if (m_currentScope->GetScopeType() == ScopeType_Parameter
8382-
|| (m_currentScope->GetScopeType() == ScopeType_Block && m_currentScope->GetEnclosingScope()->GetScopeType() == ScopeType_Parameter)) // Check whether this is a class definition inside param scope
8381+
if(m_currentScope->AncestorScopeIsParameter()) // Yield is not allowed within any parameter scope
83838382
{
83848383
Error(ERRsyntax);
83858384
}
83868385
}
83878386
else if (nop == knopAwait)
83888387
{
83898388
if (!this->GetScanner()->AwaitIsKeywordRegion() ||
8390-
m_currentScope->GetScopeType() == ScopeType_Parameter ||
8391-
(m_currentScope->GetScopeType() == ScopeType_Block && m_currentScope->GetEnclosingScope()->GetScopeType() == ScopeType_Parameter)) // Check whether this is a class definition inside param scope
8389+
m_currentScope->AncestorScopeIsParameter()) // Await is not allowed within any parameter scope
83928390
{
83938391
// As with the 'yield' keyword, the case where 'await' is scanned as a keyword (tkAWAIT)
83948392
// but the scanner is not treating await as a keyword (!this->GetScanner()->AwaitIsKeyword())

lib/Runtime/ByteCode/Scope.h

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,15 @@ class Scope
169169
return enclosingScope;
170170
}
171171

172+
bool AncestorScopeIsParameter() const
173+
{
174+
// Check if the current scope is a parameter or a block which belongs to a parameter scope
175+
// In such cases, certain asynchronous behavior is forbidden
176+
const Scope *currentScope = this;
177+
while(currentScope->GetScopeType() != ScopeType_Global && currentScope->GetScopeType() != ScopeType_FunctionBody && currentScope->GetScopeType() != ScopeType_Parameter) currentScope = currentScope->GetEnclosingScope();
178+
return (currentScope->GetScopeType() == ScopeType_Parameter);
179+
}
180+
172181
void SetScopeInfo(Js::ScopeInfo * scopeInfo)
173182
{
174183
this->scopeInfo = scopeInfo;

test/es7/misc_bugs.js

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,20 @@ var tests = [
2626
}`); });
2727
}
2828
},
29+
{
30+
name: "Await in class body should not crash",
31+
body: function () {
32+
async function trigger() {
33+
a=class b{
34+
[a = class b{
35+
[await 0](){}
36+
}](){}
37+
};
38+
}
39+
40+
trigger();
41+
}
42+
},
2943

3044
];
3145

0 commit comments

Comments
 (0)