From 0106bcd3689828f42ecc502680dbe46d72910442 Mon Sep 17 00:00:00 2001
From: Liam Newman <bitwiseman@gmail.com>
Date: Tue, 18 May 2021 13:04:29 -0700
Subject: [PATCH] Further mitigation of #1736

---
 lib/handlebars/runtime.js | 20 ++++++++++++++++++--
 spec/security.js          |  4 ++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/lib/handlebars/runtime.js b/lib/handlebars/runtime.js
index 5f73897a1..a06e2cb57 100644
--- a/lib/handlebars/runtime.js
+++ b/lib/handlebars/runtime.js
@@ -69,12 +69,28 @@ export function template(templateSpec, env) {
       if (!(name in obj)) {
         throw new Exception('"' + name + '" not defined in ' + obj);
       }
-      return obj[name];
+      return container.lookupProperty(obj, name);
+    },
+    lookupProperty: function(parent, propertyName) {
+      let result = parent[propertyName];
+      if (result == null) {
+        return result;
+      }
+      if (Object.prototype.hasOwnProperty.call(parent, propertyName)) {
+        return result;
+      }
+
+      if (!Utils.dangerousPropertyRegex.test(String(propertyName))) {
+        return result;
+      }
+
+      return undefined;
     },
     lookup: function(depths, name) {
       const len = depths.length;
       for (let i = 0; i < len; i++) {
-        if (depths[i] && depths[i][name] != null) {
+        let result = depths[i] && container.lookupProperty(depths[i], name);
+        if (result != null) {
           return depths[i][name];
         }
       }
diff --git a/spec/security.js b/spec/security.js
index 3f64f3c13..b3f860582 100644
--- a/spec/security.js
+++ b/spec/security.js
@@ -2,6 +2,10 @@ describe('security issues', function() {
     describe('GH-1495: Prevent Remote Code Execution via constructor', function() {
       checkPropertyAccess({});
 
+      describe('in compat-mode', function() {
+        checkPropertyAccess({ compat: true });
+      });
+
       describe('in strict-mode', function() {
         checkPropertyAccess({ strict: true });
       });