Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(1939)

Issue 202030043: Protect against hidden intrinsics (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
9 years, 1 month ago by MarkM
Modified:
9 years ago
Reviewers:
Mark S. Miller, kpreid2
CC:
caja-discuss-undisclosed_googlegroups.com, felix8a, ihab.awad, Jasvir, kpreid2, metaweta, MikeSamuel, pennymac, MarkM
Base URL:
http://google-caja.googlecode.com/svn/trunk/
Visibility:
Public.

Description

https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own property traversal from roots. We've already encountered and fixed the issue with %ThrowTypeError% (nee [[ThrowTypeError]]) escaping the whitelist cleaning. Since it was also (in violation of the spec) not frozen, this caused a loss of isolation. In ES5, this was the only object that could cause this problem. Now that we are whitelisting some ES6-only objects, we need to be more vigilant about providing access to other intrinsics that we may not have cleaned. The specific case I just found is that the named typed array constructors, such as Float32Array, are speced to inherit from the %TypedArray% intrinsic, which is not otherwise reachable. It was thus escaping our whitelist-based cleaning. The above summary of the problem is from https://code.google.com/p/google-caja/issues/detail?id=1953 , which this CL attempts to fix by generalizing the mechanism we were already using for %ThrowTypeError%. We add to cajaVM an intrinsics object, move %ThrowTypeError% from cajaVM['[[ThrowTypeError]]'] to cajaVM.instrinsics.ThrowTypeError, add cajaVM.intrinsics.TypedArray if it seems to be present, and list all not-otherwise-reachable ES6 instrinsics in the whitelist.

Patch Set 1 #

Total comments: 21

Patch Set 2 : Protect against hidden intrinsics #

Patch Set 3 : Protect against hidden intrinsics #

Total comments: 2

Patch Set 4 : Protect against hidden intrinsics #

Patch Set 5 : Protect against hidden intrinsics #

Patch Set 6 : Protect against hidden intrinsics #

Patch Set 7 : Protect against hidden intrinsics #

Patch Set 8 : Protect against hidden intrinsics #

Patch Set 9 : Protect against hidden intrinsics #

Patch Set 10 : Protect against hidden intrinsics #

Total comments: 41

Patch Set 11 : Protect against hidden intrinsics #

Patch Set 12 : Protect against hidden intrinsics #

Patch Set 13 : Protect against hidden intrinsics #

Patch Set 14 : Protect against hidden intrinsics #

Patch Set 15 : Protect against hidden intrinsics #

Patch Set 16 : Protect against hidden intrinsics #

Patch Set 17 : Protect against hidden intrinsics #

Patch Set 18 : Protect against hidden intrinsics #

Total comments: 16

Patch Set 19 : Protect against hidden intrinsics #

Total comments: 6

Patch Set 20 : Protect against hidden intrinsics #

Patch Set 21 : Protect against hidden intrinsics #

Unified diffs Side-by-side diffs Delta from patch set Stats (+855 lines, -160 lines) Patch
M src/com/google/caja/ses/repairES5.js View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 14 chunks +570 lines, -49 lines 0 comments Download
M src/com/google/caja/ses/startSES.js View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 12 chunks +173 lines, -86 lines 0 comments Download
M src/com/google/caja/ses/whitelist.js View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 4 chunks +52 lines, -18 lines 0 comments Download
M tests/com/google/caja/plugin/test-scan-core.js View 1 2 3 4 5 6 7 8 9 10 11 12 1 chunk +5 lines, -1 line 0 comments Download
M tests/com/google/caja/plugin/test-scan-guest.js View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 5 chunks +55 lines, -6 lines 0 comments Download

Messages

Total messages: 45
MarkM
9 years, 1 month ago (2015-02-15 05:25:46 UTC) #1
MarkM
On 2015/02/15 05:25:46, MarkM wrote: Kevin, test-scan-guest is still failing due to new coverage gaps. ...
9 years, 1 month ago (2015-02-15 05:28:12 UTC) #2
kpreid2
Regarding the scan problems, the following should be mostly sufficient for the new gaps. Please ...
9 years, 1 month ago (2015-02-15 21:59:48 UTC) #3
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-16 00:28:47 UTC) #4
MarkM
> Regarding the scan problems, the following should be mostly sufficient for the > new ...
9 years, 1 month ago (2015-02-16 00:32:08 UTC) #5
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-16 00:42:29 UTC) #6
MarkM
>> Regarding the scan problems, the following should be mostly sufficient for the >> new ...
9 years, 1 month ago (2015-02-16 01:00:22 UTC) #7
kpreid2
https://codereview.appspot.com/202030043/diff/1/src/com/google/caja/ses/startSES.js File src/com/google/caja/ses/startSES.js (right): https://codereview.appspot.com/202030043/diff/1/src/com/google/caja/ses/startSES.js#newcode1693 src/com/google/caja/ses/startSES.js:1693: * Removes finds all properties to be removed starting ...
9 years, 1 month ago (2015-02-16 01:04:56 UTC) #8
MarkM
https://codereview.appspot.com/202030043/diff/1/src/com/google/caja/ses/startSES.js File src/com/google/caja/ses/startSES.js (right): https://codereview.appspot.com/202030043/diff/1/src/com/google/caja/ses/startSES.js#newcode1693 src/com/google/caja/ses/startSES.js:1693: * Removes finds all properties to be removed starting ...
9 years, 1 month ago (2015-02-16 01:38:02 UTC) #9
kpreid2
Forgot one critical thing... https://codereview.appspot.com/202030043/diff/40001/src/com/google/caja/ses/whitelist.js File src/com/google/caja/ses/whitelist.js (right): https://codereview.appspot.com/202030043/diff/40001/src/com/google/caja/ses/whitelist.js#newcode117 src/com/google/caja/ses/whitelist.js:117: IteratorPrototype: {}, This part of ...
9 years, 1 month ago (2015-02-16 01:58:15 UTC) #10
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-16 04:51:31 UTC) #11
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-16 05:03:23 UTC) #12
MarkM
I added all the not-otherwise-named intrinsics except for %MapIteratorPrototype% and %SetIteratorPrototype%. These are clearly not ...
9 years, 1 month ago (2015-02-16 05:18:06 UTC) #13
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-16 05:27:25 UTC) #14
MarkM
ant runtests reveals problems, both coverage gaps and some more serious. Thus, this is again ...
9 years, 1 month ago (2015-02-16 05:39:25 UTC) #15
kpreid1
On Feb 15, 2015, at 21:39, erights@gmail.com wrote: > ant runtests reveals problems, both coverage ...
9 years, 1 month ago (2015-02-16 15:38:01 UTC) #16
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-19 00:46:39 UTC) #17
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-19 02:35:48 UTC) #18
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-20 03:06:30 UTC) #19
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-20 03:09:31 UTC) #20
MarkM
New snapshot. Everything ready for review except the coverage tester. Please do review -- the ...
9 years, 1 month ago (2015-02-20 03:13:31 UTC) #21
metaweta
Do we care about SES on Rhino? It supports E4X, so there's an undeniable XML.prototype. ...
9 years, 1 month ago (2015-02-20 03:46:09 UTC) #22
Mark S. Miller
We actually test for e4x (STRICT_E4X_LITERALS_ALLOWED) and refuse to run if it is supported, so ...
9 years, 1 month ago (2015-02-20 04:04:31 UTC) #23
kpreid2
https://codereview.appspot.com/202030043/diff/180001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/202030043/diff/180001/src/com/google/caja/ses/repairES5.js#newcode650 src/com/google/caja/ses/repairES5.js:650: // ignore Please add a stronger verification here that ...
9 years, 1 month ago (2015-02-20 22:02:38 UTC) #24
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-20 22:19:28 UTC) #25
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-20 22:33:18 UTC) #26
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-21 00:00:01 UTC) #27
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-21 02:32:59 UTC) #28
MarkM
Not yet ready for review. Soon. https://codereview.appspot.com/202030043/diff/180001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/202030043/diff/180001/src/com/google/caja/ses/repairES5.js#newcode650 src/com/google/caja/ses/repairES5.js:650: // ignore On ...
9 years, 1 month ago (2015-02-21 02:34:25 UTC) #29
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-21 03:07:26 UTC) #30
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-21 18:31:14 UTC) #31
MarkM
New snapshot with repair for https://bugs.webkit.org/show_bug.cgi?id=141865 , where Object.prototype.__proto__ getter and setter act as sloppy ...
9 years, 1 month ago (2015-02-21 18:46:40 UTC) #32
MarkM
As of this snapshot, FF Nightly 38.0a1 (2015-02-20) fails test-scan-guest with Coverage gap: No non-throwing ...
9 years, 1 month ago (2015-02-21 18:53:01 UTC) #33
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-22 00:46:42 UTC) #34
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-22 00:54:23 UTC) #35
kpreid2
https://codereview.appspot.com/202030043/diff/340001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/202030043/diff/340001/src/com/google/caja/ses/repairES5.js#newcode642 src/com/google/caja/ses/repairES5.js:642: * uncondition in the test of the code. unconditional ...
9 years, 1 month ago (2015-02-22 01:21:51 UTC) #36
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-22 21:37:06 UTC) #37
MarkM
New snapshot. I am not including a mitigation for the new severe undisclosed Safari problem ...
9 years, 1 month ago (2015-02-22 21:55:21 UTC) #38
kpreid2
https://codereview.appspot.com/202030043/diff/340001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/202030043/diff/340001/src/com/google/caja/ses/repairES5.js#newcode3509 src/com/google/caja/ses/repairES5.js:3509: * Detects https://bugs.webkit.org/show_bug.cgi?id=141865 On 2015/02/22 21:55:21, MarkM wrote: > ...
9 years, 1 month ago (2015-02-23 22:26:57 UTC) #39
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-23 23:11:53 UTC) #40
MarkM
https://codereview.appspot.com/202030043/diff/360001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/202030043/diff/360001/src/com/google/caja/ses/repairES5.js#newcode3571 src/com/google/caja/ses/repairES5.js:3571: * in the object On 2015/02/23 22:26:57, kpreid2 wrote: ...
9 years, 1 month ago (2015-02-23 23:13:35 UTC) #41
kpreid2
LGTM
9 years, 1 month ago (2015-02-23 23:24:53 UTC) #42
MarkM
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects lists the intrinsic objects of ES6, not all of which are reachable by own ...
9 years, 1 month ago (2015-02-26 02:10:03 UTC) #43
MarkM
New snapshot in response to https://code.google.com/p/google-caja/issues/detail?id=1956 PTAL
9 years, 1 month ago (2015-02-26 02:11:15 UTC) #44
kpreid2
9 years, 1 month ago (2015-02-26 19:35:10 UTC) #45
LGTM
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b