Further mitigation of handlebars-lang#1736

Author: bitwiseman

lib/handlebars/runtime.js

@@ -69,12 +69,28 @@ export function template(templateSpec, env) {
       if (!(name in obj)) {
         throw new Exception('"' + name + '" not defined in ' + obj);
       }
-      return obj[name];
+      return container.lookupProperty(obj, name);
+    },
+    lookupProperty: function(parent, propertyName) {
+      let result = parent[propertyName];
+      if (result == null) {
+        return result;
+      }
+      if (Object.prototype.hasOwnProperty.call(parent, propertyName)) {
+        return result;
+      }
+
+      if (!Utils.dangerousPropertyRegex.test(String(propertyName))) {
+        return result;
+      }
+
+      return undefined;
     },
     lookup: function(depths, name) {
       const len = depths.length;
       for (let i = 0; i < len; i++) {
-        if (depths[i] && depths[i][name] != null) {
+        let result = depths[i] && container.lookupProperty(depths[i], name);
+        if (result != null) {
           return depths[i][name];
         }
       }

spec/security.js

@@ -2,6 +2,10 @@ describe('security issues', function() {
     describe('GH-1495: Prevent Remote Code Execution via constructor', function() {
       checkPropertyAccess({});
 
+      describe('in compat-mode', function() {
+        checkPropertyAccess({ compat: true });
+      });
+
       describe('in strict-mode', function() {
         checkPropertyAccess({ strict: true });
       });