fix(core): use Trusted Types policy in named_array_type (#39209)

Address a Trusted Types violation that occurs in createNamedArrayType
during development mode. Instead of passing strings directly to "new
Function", use the Trusted Types compatible function constructor exposed
by the Trusted Types policy.

PR Close #39209
This commit is contained in:
Bjarki 2020-10-07 16:43:17 +00:00 committed by atscott
parent 5913e5c4e8
commit f6d5cdfbd7
1 changed files with 5 additions and 3 deletions

View File

@ -8,6 +8,7 @@
*/ */
import './ng_dev_mode'; import './ng_dev_mode';
import {newTrustedFunctionForDev} from './security/trusted_types';
/** /**
* THIS FILE CONTAINS CODE WHICH SHOULD BE TREE SHAKEN AND NEVER CALLED FROM PRODUCTION CODE!!! * THIS FILE CONTAINS CODE WHICH SHOULD BE TREE SHAKEN AND NEVER CALLED FROM PRODUCTION CODE!!!
@ -27,9 +28,10 @@ export function createNamedArrayType(name: string): typeof Array {
// This should never be called in prod mode, so let's verify that is the case. // This should never be called in prod mode, so let's verify that is the case.
if (ngDevMode) { if (ngDevMode) {
try { try {
// We need to do it this way so that TypeScript does not down-level the below code. // If this function were compromised the following could lead to arbitrary
const FunctionConstructor: any = createNamedArrayType.constructor; // script execution. We bless it with Trusted Types anyway since this
return (new FunctionConstructor('Array', `return class ${name} extends Array{}`))(Array); // function is stripped out of production binaries.
return (newTrustedFunctionForDev('Array', `return class ${name} extends Array{}`))(Array);
} catch (e) { } catch (e) {
// If it does not work just give up and fall back to regular Array. // If it does not work just give up and fall back to regular Array.
return Array; return Array;