fix(*): protect calls to hasOwnProperty in public API

Objects received from outside AngularJS may have had their `hasOwnProperty`
method overridden with something else. In cases where we can do this without
incurring a performance penalty we call directly on Object.prototype.hasOwnProperty
to ensure that we use the correct method.

Also, we have some internal hash objects, where the keys for the map are provided
from outside AngularJS. In such cases we either prevent `hasOwnProperty` from
being used as a key or provide some other way of preventing our objects from
having their `hasOwnProperty` overridden.

BREAKING CHANGE: Inputs with name equal to "hasOwnProperty" are not allowed inside
form or ngForm directives.

Before, inputs whose name was "hasOwnProperty" were quietly ignored and not added
to the scope.  Now a badname exception is thrown.

Using "hasOwnProperty" for an input name would be very unusual and bad practice.
Either do not include such an input in a `form` or `ngForm` directive or change
the name of the input.

Closes #3331

11 files changed, 122 insertions, 0 deletions

diff --git a/test/AngularSpec.js b/test/AngularSpec.js
index a97c7591..c1914947 100644
--- a/test/AngularSpec.js
+++ b/test/AngularSpec.js
@@ -417,6 +417,20 @@ describe('angular', function() {
     });
 
 
+    it('should not break if obj is an array we override hasOwnProperty', function() {
+      var obj = [];
+      obj[0] = 1;
+      obj[1] = 2;
+      obj.hasOwnProperty = null;
+      var log = [];
+      forEach(obj, function(value, key) {
+        log.push(key + ':' + value);
+      });
+      expect(log).toEqual(['0:1', '1:2']);
+    });
+
+
+
     it('should handle JQLite and jQuery objects like arrays', function() {
       var jqObject = jqLite("<p><span>s1</span><span>s2</span></p>").find("span"),
           log = [];
diff --git a/test/auto/injectorSpec.js b/test/auto/injectorSpec.js
index f010fc91..5c186cf1 100644
--- a/test/auto/injectorSpec.js
+++ b/test/auto/injectorSpec.js
@@ -295,6 +295,24 @@ describe('injector', function() {
     });
 
     describe('$provide', function() {
+
+      it('should throw an exception if we try to register a service called "hasOwnProperty"', function() {
+        createInjector([function($provide) {
+          expect(function() {
+            $provide.provider('hasOwnProperty', function() {  });
+          }).toThrowMinErr('ng', 'badname');
+        }]);
+      });
+
+      it('should throw an exception if we try to register a constant called "hasOwnProperty"', function() {
+        createInjector([function($provide) {
+          expect(function() {
+            $provide.constant('hasOwnProperty', {});
+          }).toThrowMinErr('ng', 'badname');
+        }]);
+      });
+
+
       describe('constant', function() {
         it('should create configuration injectable constants', function() {
           var log = [];
diff --git a/test/loaderSpec.js b/test/loaderSpec.js
index 302852cb..2a564115 100644
--- a/test/loaderSpec.js
+++ b/test/loaderSpec.js
@@ -72,4 +72,10 @@ describe('module loader', function() {
             "or forgot to load it. If registering a module ensure that you specify the dependencies as the second " +
             "argument.");
   });
+
+  it('should complain if a module is called "hasOwnProperty', function() {
+    expect(function() {
+      window.angular.module('hasOwnProperty', []);
+    }).toThrowMinErr('ng','badname', "hasOwnProperty is not a valid module name");
+  });
 });
diff --git a/test/ng/compileSpec.js b/test/ng/compileSpec.js
index 5e28c62b..1e6f6e26 100755
--- a/test/ng/compileSpec.js
+++ b/test/ng/compileSpec.js
@@ -117,6 +117,15 @@ describe('$compile', function() {
         expect(log).toEqual('pre1; pre2; post2; post1');
       });
     });
+
+    it('should throw an exception if a directive is called "hasOwnProperty"', function() {
+      module(function() {
+        expect(function() {
+          directive('hasOwnProperty', function() { });
+        }).toThrowMinErr('ng','badname', "hasOwnProperty is not a valid directive name");
+      });
+      inject(function($compile) {});
+    });
   });
 
 
diff --git a/test/ng/controllerSpec.js b/test/ng/controllerSpec.js
index 2a9922c6..4f94402f 100644
--- a/test/ng/controllerSpec.js
+++ b/test/ng/controllerSpec.js
@@ -57,6 +57,13 @@ describe('$controller', function() {
       expect(scope.foo).toBe('bar');
       expect(ctrl instanceof FooCtrl).toBe(true);
     });
+
+
+    it('should throw an exception if a controller is called "hasOwnProperty"', function () {
+      expect(function() {
+        $controllerProvider.register('hasOwnProperty', function($scope) {});
+      }).toThrowMinErr('ng', 'badname', "hasOwnProperty is not a valid controller name");
+    });
   });
 
 
diff --git a/test/ng/directive/formSpec.js b/test/ng/directive/formSpec.js
index fb64fdb3..53fd3d90 100644
--- a/test/ng/directive/formSpec.js
+++ b/test/ng/directive/formSpec.js
@@ -137,6 +137,18 @@ describe('form', function() {
   });
 
 
+  it('should throw an exception if an input has name="hasOwnProperty"', function() {
+    doc = jqLite(
+      '<form name="form">'+
+        '<input name="hasOwnProperty" ng-model="some" />'+
+        '<input name="other" ng-model="someOther" />'+
+      '</form>');
+      expect(function() {
+	    $compile(doc)(scope);
+      }).toThrowMinErr('ng', 'badname');
+  });
+
+
   describe('preventing default submission', function() {
 
     it('should prevent form submission', function() {
diff --git a/test/ng/directive/ngRepeatSpec.js b/test/ng/directive/ngRepeatSpec.js
index 72035566..4cf79dbf 100644
--- a/test/ng/directive/ngRepeatSpec.js
+++ b/test/ng/directive/ngRepeatSpec.js
@@ -137,6 +137,14 @@ describe('ngRepeat', function() {
     });
 
 
+    it("should throw an exception if 'track by' evaluates to 'hasOwnProperty'", function() {
+      scope.items = {age:20};
+      $compile('<div ng-repeat="(key, value) in items track by \'hasOwnProperty\'"></div>')(scope);
+      scope.$digest();
+      expect($exceptionHandler.errors.shift().message).toMatch(/ng:badname/);
+    });
+
+
     it('should track using build in $id function', function() {
       element = $compile(
           '<ul>' +
diff --git a/test/ng/directive/selectSpec.js b/test/ng/directive/selectSpec.js
index 584fe614..85acba19 100644
--- a/test/ng/directive/selectSpec.js
+++ b/test/ng/directive/selectSpec.js
@@ -1247,5 +1247,15 @@ describe('select', function() {
       expect(element.find('span').text()).toBe('success');
       dealoc(element);
     }));
+
+    it('should throw an exception if an option value interpolates to "hasOwnProperty"', function() {
+      scope.hasOwnPropertyOption = "hasOwnProperty";
+      expect(function() {
+        compile('<select ng-model="x">'+
+                  '<option>{{hasOwnPropertyOption}}</option>'+
+                '</select>');
+      }).toThrowMinErr('ng','badname', 'hasOwnProperty is not a valid "option value" name');
+    });
+
   });
 });
diff --git a/test/ng/parseSpec.js b/test/ng/parseSpec.js
index 87cc79af..19182332 100644
--- a/test/ng/parseSpec.js
+++ b/test/ng/parseSpec.js
@@ -351,6 +351,26 @@ describe('parser', function() {
         expect(scope.$eval('toString()', scope)).toBe('custom toString');
       });
 
+      it('should not break if hasOwnProperty is referenced in an expression', function() {
+        scope.obj = { value: 1};
+        // By evaluating an expression that calls hasOwnProperty, the getterFnCache
+        // will store a property called hasOwnProperty.  This is effectively:
+        // getterFnCache['hasOwnProperty'] = null
+        scope.$eval('obj.hasOwnProperty("value")');
+        // If we rely on this property then evaluating any expression will fail
+        // because it is not able to find out if obj.value is there in the cache
+        expect(scope.$eval('obj.value')).toBe(1);
+      });
+
+      it('should not break if the expression is "hasOwnProperty"', function() {
+        scope.fooExp = 'barVal';
+        // By evaluating hasOwnProperty, the $parse cache will store a getter for
+        // the scope's own hasOwnProperty function, which will mess up future cache look ups.
+        // i.e. cache['hasOwnProperty'] = function(scope) { return scope.hasOwnProperty; }
+        scope.$eval('hasOwnProperty');
+        expect(scope.$eval('fooExp')).toBe('barVal');
+      });
+
       it('should evaluate grouped expressions', function() {
         expect(scope.$eval("(1+2)*3")).toEqual((1+2)*3);
       });
diff --git a/test/ngMock/angular-mocksSpec.js b/test/ngMock/angular-mocksSpec.js
index e506e608..1a4290e0 100644
--- a/test/ngMock/angular-mocksSpec.js
+++ b/test/ngMock/angular-mocksSpec.js
@@ -1,5 +1,7 @@
 'use strict';
 
+var msie = +((/msie (\d+)/.exec(navigator.userAgent.toLowerCase()) || [])[1]);
+
 describe('ngMock', function() {
   var noop = angular.noop;
 
@@ -448,6 +450,15 @@ describe('ngMock', function() {
       expect(d($rootScope)).toMatch(/Scope\(.*\): \{/);
       expect(d($rootScope)).toMatch(/{"abc":"123"}/);
     }));
+
+    it('should serialize scope that has overridden "hasOwnProperty"', inject(function($rootScope){
+      // MS IE8 just doesn't work for this kind of thing, since "for ... in" doesn't return
+      // things like hasOwnProperty even if it is explicitly defined on the actual object!
+      if (msie<=8) return;
+      $rootScope.hasOwnProperty = 'X';
+      expect(d($rootScope)).toMatch(/Scope\(.*\): \{/);
+      expect(d($rootScope)).toMatch(/hasOwnProperty: "X"/);
+    }));
   });
 
 
diff --git a/test/ngResource/resourceSpec.js b/test/ngResource/resourceSpec.js
index 550b4432..d13156b3 100644
--- a/test/ngResource/resourceSpec.js
+++ b/test/ngResource/resourceSpec.js
@@ -242,6 +242,13 @@ describe("resource", function() {
   });
 
 
+  it('should throw an exception if a param is called "hasOwnProperty"', function() {
+     expect(function() {
+      $resource('/:hasOwnProperty').get();
+     }).toThrowMinErr('$resource','badname', "hasOwnProperty is not a valid parameter name");
+  });
+
+
   it("should create resource", function() {
     $httpBackend.expect('POST', '/CreditCard', '{"name":"misko"}').respond({id: 123, name: 'misko'});