Fix #1748 where allowed prototype methods are not called

aalimovs · aalimovs · commit b1d1aa8b71d0 · 2023-07-16T15:04:01.000+01:00
diff --git a/lib/handlebars/runtime.js b/lib/handlebars/runtime.js
@@ -136,6 +136,9 @@ export function template(templateSpec, env) {
       }
 
       if (resultIsAllowed(result, container.protoAccessControl, propertyName)) {
+        if (typeof result === 'function') {
+          return parent[propertyName]();
+        }
         return result;
       }
       return undefined;
diff --git a/spec/security.js b/spec/security.js
@@ -289,6 +289,17 @@ describe('security issues', function() {
           })
           .toCompileTo('abc');
       });
+
+      it('should call an allowed proto method', function() {
+        expectTemplate('{{aString.trim}}')
+          .withInput({ aString: '  abc  ' })
+          .withRuntimeOptions({
+            allowedProtoMethods: {
+              trim: true
+            }
+          })
+          .toCompileTo('abc');
+      });
     });
 
     describe('control access to prototype non-methods via "allowedProtoProperties" and "allowProtoPropertiesByDefault', function() {

Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,9 @@ export function template(templateSpec, env) {`
`136`	`136`	`}`
`137`	`137`
`138`	`138`	`if (resultIsAllowed(result, container.protoAccessControl, propertyName)) {`
	`139`	`+ if (typeof result === 'function') {`
	`140`	`+ return parent[propertyName]();`
	`141`	`+ }`
`139`	`142`	`return result;`
`140`	`143`	`}`
`141`	`144`	`return undefined;`