search

svnlabs / google-caja

Automatically exported from code.google.com/p/google-caja
0 stars 1 forks source link

JS minifier (optimizer) transforms comma expressions invalidly #1956

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The minifier incorrectly transforms 
  q = (1,y.z)();
to
  q = y.z();

Additionally, I tried writing the obvious test case for this (in 
JsOptimizerTest.java) and it hung in an infinite loop inside 
ParseTreeKB.optimize:

+  public final void testCommaNotChanged() throws Exception {
+    assertOptimized(
+        js(fromString("q = (1,y.z)();")),
+        js(fromString("q = (1,y.z)();")));
+  }

This is not currently a vulnerability as we never use the (1,o.m)() form 
statically in any critical location. However, it is a significant hazard for 
future code changes (because we use this pattern in other ways and so it looks 
like a fine thing to do).

Original issue reported on code.google.com by kpreid@google.com on 26 Feb 2015 at 12:54

GoogleCodeExporter commented 9 years ago 
Fixed at r5713

https://code.google.com/p/google-caja/source/detail?r=5713

Original comment by mikesamuel@gmail.com on 26 Feb 2015 at 9:07