Fix for/in iteration over proxy objects (#241)

2023-12-30 22:47:32 +01:00 · 2023-12-30 22:47:32 +01:00 · 9f9bf3c9ab
commit 9f9bf3c9ab
parent b5d6cea20e
2 changed files with 25 additions and 2 deletions
--- a/quickjs.c
+++ b/quickjs.c
@ -13387,8 +13387,14 @@ static __exception int js_for_in_next(JSContext *ctx, JSValue *sp)
            if (prop == JS_ATOM_NULL || !(prs->flags & JS_PROP_ENUMERABLE))
                continue;
        }
-        /* check if the property was deleted */
-        ret = JS_HasProperty(ctx, it->obj, prop);
+        // check if the property was deleted unless we're dealing with a proxy
+        JSValue obj = it->obj;
+        if (JS_VALUE_GET_TAG(obj) == JS_TAG_OBJECT) {
+            JSObject *p = JS_VALUE_GET_OBJ(obj);
+            if (p->class_id == JS_CLASS_PROXY)
+                break;
+        }
+        ret = JS_HasProperty(ctx, obj, prop);
        if (ret < 0)
            return ret;
        if (ret)
--- a/tests/test_builtin.js
+++ b/tests/test_builtin.js
@ -829,6 +829,22 @@ function test_generator()
    assert(v.value === 6 && v.done === true);
 }

+function test_proxy_iter()
+{
+    const p = new Proxy({}, {
+        getOwnPropertyDescriptor() {
+            return {configurable: true, enumerable: true, value: 42};
+        },
+        ownKeys() {
+            return ["x", "y"];
+        },
+    });
+    const a = [];
+    for (const x in p) a.push(x);
+    assert(a[0], "x");
+    assert(a[1], "y");
+}
+
 /* CVE-2023-31922 */
 function test_proxy_is_array()
 {
@ -865,6 +881,7 @@ test_map();
 test_weak_map();
 test_weak_set();
 test_generator();
+test_proxy_iter();
 test_proxy_is_array();
 test_exception_source_pos();
 test_function_source_pos();