fix($parse): allow assignment on objects in locals

Fixes angular#4664

Author: jbedard

src/ng/directive/form.js

@@ -489,19 +489,19 @@ var formDirectiveFactory = function(isNgForm) {
                 alias = controller.$name;
 
             if (alias) {
-              setter(scope, alias, controller, alias);
+              setter(scope, null, alias, controller, alias);
               attr.$observe(attr.name ? 'name' : 'ngForm', function(newValue) {
                 if (alias === newValue) return;
-                setter(scope, alias, undefined, alias);
+                setter(scope, null, alias, undefined, alias);
                 alias = newValue;
-                setter(scope, alias, controller, alias);
+                setter(scope, null, alias, controller, alias);
                 parentFormCtrl.$$renameControl(controller, alias);
               });
             }
             formElement.on('$destroy', function() {
               parentFormCtrl.$removeControl(controller);
               if (alias) {
-                setter(scope, alias, undefined, alias);
+                setter(scope, null, alias, undefined, alias);
               }
               extend(controller, nullFormCtrl); //stop propagating child destruction handlers upwards
             });

src/ng/parse.js

@@ -664,7 +664,7 @@ Parser.prototype = {
       assign: function(scope, value, locals) {
         var o = object(scope, locals);
         if (!o) object.assign(scope, o = {});
-        return setter(o, field, value, expression);
+        return setter(o, null, field, value, expression);
       }
     });
   },
@@ -799,18 +799,19 @@ Parser.prototype = {
 // Parser helper functions
 //////////////////////////////////////////////////
 
-function setter(obj, path, setValue, fullExp) {
+function setter(obj, locals, path, setValue, fullExp) {
   ensureSafeObject(obj, fullExp);
+  ensureSafeObject(locals, fullExp);
 
   var element = path.split('.'), key;
   for (var i = 0; element.length > 1; i++) {
     key = ensureSafeMemberName(element.shift(), fullExp);
-    var propertyObj = ensureSafeObject(obj[key], fullExp);
+    var propertyObj = (i === 0 && locals && locals[key]) || obj[key];
     if (!propertyObj) {
       propertyObj = {};
       obj[key] = propertyObj;
     }
-    obj = propertyObj;
+    obj = ensureSafeObject(propertyObj, fullExp);
   }
   key = ensureSafeMemberName(element.shift(), fullExp);
   ensureSafeObject(obj[key], fullExp);
@@ -937,8 +938,8 @@ function getterFn(path, options, fullExp) {
   }
 
   fn.sharedGetter = true;
-  fn.assign = function(self, value) {
-    return setter(self, path, value, path);
+  fn.assign = function(self, value, locals) {
+    return setter(self, locals, path, value, path);
   };
   getterFnCache[path] = fn;
   return fn;

test/ng/parseSpec.js

@@ -488,6 +488,24 @@ describe('parser', function() {
         expect(scope.b).toEqual(234);
       });
 
+      it('should allow passing object as locals to the left part of an assignment expression', inject(function($rootScope) {
+        var ob = {};
+        $rootScope.scopedValue = 1;
+        $rootScope.$eval('a.value = scopedValue', {a: ob});
+        expect(ob.value).toBe(1);
+        expect($rootScope.a).toBeUndefined();
+      }));
+
+      it('should ignore locals beyond the root object of an assignment expression', inject(function($rootScope) {
+        var ob = {};
+        var locals = {a: ob};
+        $rootScope.scopedValue = 1;
+        $rootScope.$eval('a.value = scopedValue', locals);
+        expect(ob.value).toBe(1);
+        expect(ob.b).toBeUndefined();
+        expect($rootScope.b).toBeUndefined();
+      }));
+
         it('should evaluate assignments in ternary operator', function() {
           scope.$eval('a = 1 ? 2 : 3');
           expect(scope.a).toBe(2);
@@ -799,6 +817,12 @@ describe('parser', function() {
             }).toThrowMinErr(
                     '$parse', 'isecfn', 'Referencing Function in Angular expressions is disallowed! ' +
                     'Expression: a.toString.constructor');
+
+            expect(function() {
+              scope.$eval("c.a = 1", {c: Function.prototype.constructor});
+            }).toThrowMinErr(
+                    '$parse', 'isecfn', 'Referencing Function in Angular expressions is disallowed! ' +
+                    'Expression: c.a');
           });
 
           it('should disallow traversing the Function object in a setter: E02', function() {
@@ -933,6 +957,14 @@ describe('parser', function() {
                     '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
                     'Expression: foo["bar"]["keys"](foo)');
           });
+
+          it('should NOT allow access to Object constructor in assignment locals', function() {
+            expect(function() {
+              scope.$eval("O.constructor.a = 1", {O: Object});
+            }).toThrowMinErr(
+                    '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
+                    'Expression: O.constructor.a');
+          });
         });
 
         describe('Window and $element/node', function() {