Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

$processModelValue() cannot pass objects through $formatters properly #17019

Open
1 of 4 tasks
alutsky opened this issue Apr 23, 2020 · 2 comments
Open
1 of 4 tasks

$processModelValue() cannot pass objects through $formatters properly #17019

alutsky opened this issue Apr 23, 2020 · 2 comments

Comments

@alutsky
Copy link

alutsky commented Apr 23, 2020

I'm submitting a ...

  • regression from 1.7.0
  • security issue
  • issue caused by a new browser version
  • other: .

Current behavior:
Currently, $setViewValue(value) function accepts objects as a value, but requires them to be a angular.copy of the previous object - since otherwise it will not detect the change (no deep comparison). This is expected and documented behaviour. The opposite function, however, $processModelValue() function cannot properly process the $modelValue which is an object (an end result of the $setViewValue(object) function above), even though it implicitly should. It improperly treats it as a simple type, and within the $$format() function makes new $viewValue and $modelValue be the two references to the same object with properties - and therefore all $formatters also affect $modelValue where they should not - which affects $validators and causes them to fail where they should succeed.

This means that $modelValue object is being stored directly from user input, circumventing parsers altogether - which is a security concern.

Expected behavior:
The $processModelValue() and consequently $$format() functions should properly detect if the $modelValue is an object, and ensure that formatters only act on a copy of the original $modelValue object, which copy the $$format() function should return.

Minimal reproduction of the problem with instructions:

AngularJS version: 1.7.9

Browser: should be affecting ALL browsers, explicitly observed in Chrome 81

Anything else:
Can be fixed by replacing the line 1042 of ngModel.js file:
From:
var viewValue = this.$modelValue;
To:
var viewValue = angular.copy(this.$modelValue);
@alutsky
Copy link
Author

alutsky commented Apr 23, 2020

To add possible locations where object handling is broken:
Line 707 of ngModel.js (within commitViewValue() function)
From:
var viewValue = this.$viewValue;
To:
var viewValue = angular.copy(this.$viewValue);

Line 728 of ngModel.js (within $$parseAndValidate() function)
From:
var viewValue = this.$$lastCommittedViewValue;
To:
var viewValue = angular.copy(this.$$lastCommittedViewValue);

@gkalpak
Copy link
Member

gkalpak commented Apr 27, 2020

Given that AngularJS is in Long-Term Support mode (see here for details), I am afraid we are not going to fix this kind of issues (even if it might be a valid issue).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gkalpak @alutsky