Merge pull request #414 from XmiliaH/release-3.9.9

Prepare release 3.9.9

Author: XmiliaH

CHANGELOG.md

@@ -1,4 +1,8 @@
-v3.9.8 (2022-92-16)
+v3.9.9 (2022-02-24)
+-------------------
+[fix] Bump parser ECMA version to 2022.  
+
+v3.9.8 (2022-02-16)
 -------------------
 [fix] Add function type check for arguments, caller, and callee property check (GeoffRen)  
 [fix] Fix find best extension handler  

package.json

@@ -13,7 +13,7 @@
     "alcatraz",
     "contextify"
   ],
-  "version": "3.9.8",
+  "version": "3.9.9",
   "main": "index.js",
   "sideEffects": false,
   "repository": "github:patriksimek/vm2",

test/vm.js

@@ -5,6 +5,7 @@
 
 const assert = require('assert');
 const {VM, VMScript} = require('..');
+const {INTERNAL_STATE_NAME} = require('../lib/transformer');
 const NODE_VERSION = parseInt(process.versions.node.split('.')[0]);
 const {inspect} = require('util');
 
@@ -659,6 +660,16 @@ describe('VM', () => {
 		`));
 	});
 
+	it('internal state attack', () => {
+		const vm2 = new VM();
+		assert.throws(() => vm2.run(`${INTERNAL_STATE_NAME}=1;`), /Use of internal vm2 state variable/);
+		assert.throws(() => vm2.run(`const ${INTERNAL_STATE_NAME} = {};`), /Use of internal vm2 state variable/);
+		assert.throws(() => vm2.run(`var ${INTERNAL_STATE_NAME} = {};`), /Use of internal vm2 state variable/);
+		assert.throws(() => vm2.run(`let ${INTERNAL_STATE_NAME} = {};`), /Use of internal vm2 state variable/);
+		assert.throws(() => vm2.run(`class ${INTERNAL_STATE_NAME} {};`), /Use of internal vm2 state variable/);
+		assert.throws(() => vm2.run(`function ${INTERNAL_STATE_NAME} () {};`), /Use of internal vm2 state variable/);
+	});
+
 	it('buffer attack', () => {
 		const vm2 = new VM();