Fix prototype pollution

CHANGELOG.md

@@ -9,6 +9,7 @@ Unreleased
   respect `throwOnUndefined` if sort attribute is undefined.
 * Add `base` arg to
   [`int` filter](https://mozilla.github.io/nunjucks/templating.html#int).
+* Fix Bug About Prototype Pollution.
 
 3.2.2 (Jul 20 2020)
 -------------------

nunjucks/src/runtime.js

@@ -12,7 +12,7 @@ var supportsIterators = (
 // variables, for example.
 class Frame {
   constructor(parent, isolateWrites) {
-    this.variables = {};
+    this.variables = Object.create(null);
     this.parent = parent;
     this.topLevel = false;
     // if this is true, writes (set) should never propagate upwards past

tests/runtime.js

@@ -110,5 +110,21 @@
 
       finish(done);
     });
+
+    it('should not read variables property from Object.prototype', function(done) {
+      var payload = 'function(){ return 1+2; }()';
+      var data = {};
+      Object.getPrototypeOf(data).payload = payload;
+
+      render('{{ payload }}', data, {
+        noThrow: true
+      }, function(err, res) {
+        expect(err).to.equal(null);
+        expect(res).to.equal(payload);
+      });
+      delete Object.getPrototypeOf(data).payload;
+
+      finish(done);
+    });
   });
 }());