From f6d5cdfbd74f2712309f23c952915f4ac7d001d7 Mon Sep 17 00:00:00 2001 From: Bjarki Date: Wed, 7 Oct 2020 16:43:17 +0000 Subject: [PATCH] fix(core): use Trusted Types policy in named_array_type (#39209) Address a Trusted Types violation that occurs in createNamedArrayType during development mode. Instead of passing strings directly to "new Function", use the Trusted Types compatible function constructor exposed by the Trusted Types policy. PR Close #39209 --- packages/core/src/util/named_array_type.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/packages/core/src/util/named_array_type.ts b/packages/core/src/util/named_array_type.ts index b4a90c7d15..d5f2d76421 100644 --- a/packages/core/src/util/named_array_type.ts +++ b/packages/core/src/util/named_array_type.ts @@ -8,6 +8,7 @@ */ import './ng_dev_mode'; +import {newTrustedFunctionForDev} from './security/trusted_types'; /** * THIS FILE CONTAINS CODE WHICH SHOULD BE TREE SHAKEN AND NEVER CALLED FROM PRODUCTION CODE!!! @@ -27,9 +28,10 @@ export function createNamedArrayType(name: string): typeof Array { // This should never be called in prod mode, so let's verify that is the case. if (ngDevMode) { try { - // We need to do it this way so that TypeScript does not down-level the below code. - const FunctionConstructor: any = createNamedArrayType.constructor; - return (new FunctionConstructor('Array', `return class ${name} extends Array{}`))(Array); + // If this function were compromised the following could lead to arbitrary + // script execution. We bless it with Trusted Types anyway since this + // function is stripped out of production binaries. + return (newTrustedFunctionForDev('Array', `return class ${name} extends Array{}`))(Array); } catch (e) { // If it does not work just give up and fall back to regular Array. return Array;