Merge branch 'patriksimek:master' into pathContext

Author: blakebyrnes

CHANGELOG.md

@@ -1,3 +1,7 @@
+v3.9.17 (2023-04-17)
+--------------------
+[fix] Multiple security fixes.
+
 v3.9.16 (2023-04-11)
 --------------------
 [fix] Security fix (see https://github.com/patriksimek/vm2/issues/516).

lib/setup-sandbox.js

@@ -439,23 +439,36 @@ global.eval = new LocalProxy(localEval, EvalHandler);
  * Promise sanitization
  */
 
-if (localPromise && !allowAsync) {
+if (localPromise) {
 
 	const PromisePrototype = localPromise.prototype;
 
-	overrideWithProxy(PromisePrototype, 'then', PromisePrototype.then, AsyncErrorHandler);
-	// This seems not to work, and will produce
-	// UnhandledPromiseRejectionWarning: TypeError: Method Promise.prototype.then called on incompatible receiver [object Object].
-	// This is likely caused since the host.Promise.prototype.then cannot use the VM Proxy object.
-	// Contextify.connect(host.Promise.prototype.then, Promise.prototype.then);
+	if (!allowAsync) {
+
+		overrideWithProxy(PromisePrototype, 'then', PromisePrototype.then, AsyncErrorHandler);
+		// This seems not to work, and will produce
+		// UnhandledPromiseRejectionWarning: TypeError: Method Promise.prototype.then called on incompatible receiver [object Object].
+		// This is likely caused since the host.Promise.prototype.then cannot use the VM Proxy object.
+		// Contextify.connect(host.Promise.prototype.then, Promise.prototype.then);
+
+	} else {
+
+		overrideWithProxy(PromisePrototype, 'then', PromisePrototype.then, {
+			__proto__: null,
+			apply(target, thiz, args) {
+				if (args.length > 1) {
+					const onRejected = args[1];
+					if (typeof onRejected === 'function') {
+						args[1] = function wrapper(error) {
+							error = ensureThis(error);
+							return localReflectApply(onRejected, this, [error]);
+						};
+					}
+				}
+				return localReflectApply(target, thiz, args);
+			}
+		});
 
-	if (PromisePrototype.finally) {
-		overrideWithProxy(PromisePrototype, 'finally', PromisePrototype.finally, AsyncErrorHandler);
-		// Contextify.connect(host.Promise.prototype.finally, Promise.prototype.finally);
-	}
-	if (Promise.prototype.catch) {
-		overrideWithProxy(PromisePrototype, 'catch', PromisePrototype.catch, AsyncErrorHandler);
-		// Contextify.connect(host.Promise.prototype.catch, Promise.prototype.catch);
 	}
 
 }

lib/transformer.js

@@ -113,30 +113,30 @@ function transformer(args, body, isAsync, isGenerator, filename) {
 		if (nodeType === 'CatchClause') {
 			const param = node.param;
 			if (param) {
-				if (param.type === 'ObjectPattern') {
+				if (param.type === 'Identifier') {
+					const name = assertType(param, 'Identifier').name;
+					const cBody = assertType(node.body, 'BlockStatement');
+					if (cBody.body.length > 0) {
+						insertions.push({
+							__proto__: null,
+							pos: cBody.body[0].start,
+							order: TO_LEFT,
+							coder: () => `${name}=${INTERNAL_STATE_NAME}.handleException(${name});`
+						});
+					}
+				} else {
 					insertions.push({
 						__proto__: null,
 						pos: node.start,
 						order: TO_RIGHT,
-						coder: () => `catch(${tmpname}){try{throw(${tmpname}=${INTERNAL_STATE_NAME}.handleException(${tmpname}));}`
+						coder: () => `catch(${tmpname}){${tmpname}=${INTERNAL_STATE_NAME}.handleException(${tmpname});try{throw ${tmpname};}`
 					});
 					insertions.push({
 						__proto__: null,
 						pos: node.body.end,
 						order: TO_LEFT,
 						coder: () => `}`
 					});
-				} else {
-					const name = assertType(param, 'Identifier').name;
-					const cBody = assertType(node.body, 'BlockStatement');
-					if (cBody.body.length > 0) {
-						insertions.push({
-							__proto__: null,
-							pos: cBody.body[0].start,
-							order: TO_LEFT,
-							coder: () => `${name}=${INTERNAL_STATE_NAME}.handleException(${name});`
-						});
-					}
 				}
 			}
 		} else if (nodeType === 'WithStatement') {

package.json

@@ -13,7 +13,7 @@
     "alcatraz",
     "contextify"
   ],
-  "version": "3.9.16",
+  "version": "3.9.17",
   "main": "index.js",
   "sideEffects": false,
   "repository": "github:patriksimek/vm2",