From 2c29bd5391606e62193c9c595e8df3dcaa817658 Mon Sep 17 00:00:00 2001
From: Lucas Mirelmann <lgalfaso@gmail.com>
Date: Mon, 30 Nov 2015 22:28:45 +0100
Subject: [PATCH] fix($parse): prevent assigning on constructor properties

Prevents assignments on `constructor` properties
---
 src/ng/parse.js      | 17 +++++++++++++----
 test/ng/parseSpec.js |  3 +++
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/ng/parse.js b/src/ng/parse.js
index 01df46857069..9bcd1161cb16 100644
--- a/src/ng/parse.js
+++ b/src/ng/parse.js
@@ -988,6 +988,9 @@ ASTCompiler.prototype = {
       intoId = intoId || this.nextId();
       self.recurse(ast.object, left, undefined, function() {
         self.if_(self.notNull(left), function() {
+          if (create && create !== 1) {
+            self.addEnsureSafeAssignContext(left);
+          }
           if (ast.computed) {
             right = self.nextId();
             self.recurse(ast.property, right);
@@ -1602,8 +1605,11 @@ ASTInterpreter.prototype = {
         rhs = right(scope, locals, assign, inputs);
         rhs = getStringValue(rhs);
         ensureSafeMemberName(rhs, expression);
-        if (create && create !== 1 && lhs && !(lhs[rhs])) {
-          lhs[rhs] = {};
+        if (create && create !== 1) {
+          ensureSafeAssignContext(lhs);
+          if (lhs && !(lhs[rhs])) {
+            lhs[rhs] = {};
+          }
         }
         value = lhs[rhs];
         ensureSafeObject(value, expression);
@@ -1618,8 +1624,11 @@ ASTInterpreter.prototype = {
   nonComputedMember: function(left, right, expensiveChecks, context, create, expression) {
     return function(scope, locals, assign, inputs) {
       var lhs = left(scope, locals, assign, inputs);
-      if (create && create !== 1 && lhs && !(lhs[right])) {
-        lhs[right] = {};
+      if (create && create !== 1) {
+        ensureSafeAssignContext(lhs);
+        if (lhs && !(lhs[right])) {
+          lhs[right] = {};
+        }
       }
       var value = lhs != null ? lhs[right] : undefined;
       if (expensiveChecks || isPossiblyDangerousMemberName(right)) {
diff --git a/test/ng/parseSpec.js b/test/ng/parseSpec.js
index 82c6223e86ae..9eee8fbebecf 100644
--- a/test/ng/parseSpec.js
+++ b/test/ng/parseSpec.js
@@ -2740,6 +2740,9 @@ describe('parser', function() {
           expect(function() {
             scope.$eval("objConstructor = {}.constructor; objConstructor.join = ''");
           }).toThrow();
+          expect(function() {
+            scope.$eval("'a'.constructor.prototype.charAt=[].join");
+          }).toThrow();
         });
       });