fix: prevent possibility of execution of the code injected via prototype pollution when undefined is passed to compiled template function, closes #291

Author: epoberezkin

index.js

@@ -42,7 +42,7 @@ function InstallDots(o) {
 	if (this.__destination[this.__destination.length-1] !== '/') this.__destination += '/';
 	this.__global		= o.global || "window.render";
 	this.__rendermodule	= o.rendermodule || {};
-	this.__settings 	= o.templateSettings ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined;
+	this.__settings 	= Object.prototype.hasOwnProperty.call(o,"templateSettings") ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined;
 	this.__includes		= {};
 }
 

test/process.test.js

@@ -0,0 +1,31 @@
+'use strict';
+
+var assert = require('assert');
+var doT = require('..');
+
+
+describe('doT.process', function() {
+	describe('polluting object prototype should not affect template compilation', function() {
+		it('should ignore varname on object prototype', function() {
+      var currentLog = console.log;
+      console.log = log;
+      var logged;
+      
+			Object.prototype.templateSettings = {varname: 'it=(console.log("executed"),{})'};
+
+      try {
+        const templates = doT.process({path: './test'});
+        assert.notEqual(logged, 'executed');
+        // injected code can only be executed if undefined is passed to template function
+        templates.test();
+        assert.notEqual(logged, 'executed');
+      } finally {
+        console.log = currentLog;
+      }
+      
+      function log(str) {
+        logged = str;
+      }
+		})
+	});
+});

test/test.dot

@@ -0,0 +1 @@
+{{=it && it.test}}