Look up HostObject computed properties on the right object in the prototype chain.

Summary: The change in the hermes repository fixes the security vulnerability CVE-2020-1911. This vulnerability only affects applications which allow evaluation of uncontrolled, untrusted JavaScript code not shipped with the app, so React Native apps will generally not be affected. This revision includes a test for the bug. The test is generic JSI code, so it is included in the hermes and react-native repositories. Changelog: [Internal] Reviewed By: tmikov Differential Revision: D23322992 (0dee0e6036) fbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a
2020-08-25 20:36:45 -07:00 · 2020-08-25 20:36:45 -07:00 · 525e55f898
--- a/ReactCommon/jsi/jsi/test/testlib.cpp
+++ b/ReactCommon/jsi/jsi/test/testlib.cpp
@ -394,6 +394,23 @@ TEST_P(JSITest, HostObjectTest) {
                   .getBool());
 }

+TEST_P(JSITest, HostObjectProtoTest) {
+  class ProtoHostObject : public HostObject {
+    Value get(Runtime& rt, const PropNameID&) override {
+      return String::createFromAscii(rt, "phoprop");
+    }
+  };
+
+  rt.global().setProperty(
+      rt,
+      "pho",
+      Object::createFromHostObject(rt, std::make_shared<ProtoHostObject>()));
+
+  EXPECT_EQ(
+      eval("({__proto__: pho})[Symbol.toPrimitive]").getString(rt).utf8(rt),
+      "phoprop");
+}
+
 TEST_P(JSITest, ArrayTest) {
  eval("x = {1:2, '3':4, 5:'six', 'seven':['eight', 'nine']}");