Left: | ||
Right: |
OLD | NEW |
---|---|
1 // Copyright (C) 2011 Google Inc. | 1 // Copyright (C) 2011 Google Inc. |
2 // | 2 // |
3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
6 // | 6 // |
7 // https://www.apache.org/licenses/LICENSE-2.0 | 7 // https://www.apache.org/licenses/LICENSE-2.0 |
8 // | 8 // |
9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
(...skipping 15 matching lines...) Expand all Loading... | |
26 * <p>Ignore the "...requires ___global_test_function___" below. We | 26 * <p>Ignore the "...requires ___global_test_function___" below. We |
27 * create it, use it, and delete it all within this module. But we | 27 * create it, use it, and delete it all within this module. But we |
28 * need to lie to the linter since it can't tell. | 28 * need to lie to the linter since it can't tell. |
29 * | 29 * |
30 * //requires ses.mitigateSrcGotchas | 30 * //requires ses.mitigateSrcGotchas |
31 * //provides ses.ok, ses.okToLoad, ses.getMaxSeverity | 31 * //provides ses.ok, ses.okToLoad, ses.getMaxSeverity |
32 * //provides ses.is, ses.makeDelayedTamperProof | 32 * //provides ses.is, ses.makeDelayedTamperProof |
33 * //provides ses.makeCallerHarmless, ses.makeArgumentsHarmless | 33 * //provides ses.makeCallerHarmless, ses.makeArgumentsHarmless |
34 * //provides ses.noFuncPoison | 34 * //provides ses.noFuncPoison |
35 * //provides ses.verifyStrictFunctionBody | 35 * //provides ses.verifyStrictFunctionBody |
36 * //provides ses.getUndeniables, ses.earlyUndeniables | |
37 * //provides ses.getAnonIntrinsics | |
36 * | 38 * |
37 * @author Mark S. Miller | 39 * @author Mark S. Miller |
38 * @requires ___global_test_function___, ___global_valueOf_function___ | 40 * @requires ___global_test_function___, ___global_valueOf_function___ |
39 * @requires JSON, eval, this | 41 * @requires JSON, eval, this |
40 * @requires navigator, document, DOMException | 42 * @requires navigator, document, DOMException |
41 * @overrides ses, repairES5Module | 43 * @overrides ses, repairES5Module |
42 * @overrides RegExp, WeakMap, Object, parseInt | 44 * @overrides RegExp, WeakMap, Object, parseInt |
43 */ | 45 */ |
44 var RegExp; | 46 var RegExp; |
45 var ses; | 47 var ses; |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
193 * poison properties for simple safety, rather than trying to find | 195 * poison properties for simple safety, rather than trying to find |
194 * subtle corner cases by which they might lose safety. If any of | 196 * subtle corner cases by which they might lose safety. If any of |
195 * this fails, then we proceed under the assumption we're in the old | 197 * this fails, then we proceed under the assumption we're in the old |
196 * regime. | 198 * regime. |
197 * | 199 * |
198 * If noFuncPoison, then we're in the new regime made simply safe by | 200 * If noFuncPoison, then we're in the new regime made simply safe by |
199 * these deletions, and we do not treat the names 'caller' and | 201 * these deletions, and we do not treat the names 'caller' and |
200 * 'arguments' on functions as special. | 202 * 'arguments' on functions as special. |
201 */ | 203 */ |
202 var noFuncPoison = | 204 var noFuncPoison = |
203 Function.prototype.hasOwnProperty('caller') && | 205 Function.prototype.hasOwnProperty('caller') && |
204 Function.prototype.hasOwnProperty('arguments') && | 206 Function.prototype.hasOwnProperty('arguments') && |
205 !strictFnSpecimen.hasOwnProperty('caller') && | 207 !strictFnSpecimen.hasOwnProperty('caller') && |
206 !strictFnSpecimen.hasOwnProperty('arguments') && | 208 !strictFnSpecimen.hasOwnProperty('arguments') && |
207 !builtInMapMethod.hasOwnProperty('caller') && | 209 !builtInMapMethod.hasOwnProperty('caller') && |
208 !builtInMapMethod.hasOwnProperty('arguments') && | 210 !builtInMapMethod.hasOwnProperty('arguments') && |
209 delete Function.prototype.caller && | 211 delete Function.prototype.caller && |
210 delete Function.prototype.arguments && | 212 delete Function.prototype.arguments && |
211 !Function.prototype.hasOwnProperty('caller') && | 213 !Function.prototype.hasOwnProperty('caller') && |
212 !Function.prototype.hasOwnProperty('arguments'); | 214 !Function.prototype.hasOwnProperty('arguments'); |
213 ses.noFuncPoison = noFuncPoison; | 215 ses.noFuncPoison = noFuncPoison; |
214 | 216 |
215 | 217 |
216 /** | 218 /** |
217 * http://wiki.ecmascript.org/doku.php?id=harmony:egal | 219 * http://wiki.ecmascript.org/doku.php?id=harmony:egal |
218 */ | 220 */ |
219 var is = ses.is = Object.is || function(x, y) { | 221 var is = ses.is = Object.is || function(x, y) { |
220 if (x === y) { | 222 if (x === y) { |
221 // 0 === -0, but they are not identical | 223 // 0 === -0, but they are not identical |
222 return x !== 0 || 1 / x === 1 / y; | 224 return x !== 0 || 1 / x === 1 / y; |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
324 * initialization has done all the monkey patching that it is going | 326 * initialization has done all the monkey patching that it is going |
325 * to do on the Object.* methods, but before any untrusted code runs | 327 * to do on the Object.* methods, but before any untrusted code runs |
326 * in this context. | 328 * in this context. |
327 */ | 329 */ |
328 function makeTamperProof() { | 330 function makeTamperProof() { |
329 | 331 |
330 // Sample these after all trusted monkey patching initialization | 332 // Sample these after all trusted monkey patching initialization |
331 // but before any untrusted code runs in this frame. | 333 // but before any untrusted code runs in this frame. |
332 var gopd = Object.getOwnPropertyDescriptor; | 334 var gopd = Object.getOwnPropertyDescriptor; |
333 var gopn = Object.getOwnPropertyNames; | 335 var gopn = Object.getOwnPropertyNames; |
334 var getProtoOf = Object.getPrototypeOf; | |
335 var freeze = Object.freeze; | 336 var freeze = Object.freeze; |
336 var isFrozen = Object.isFrozen; | 337 var isFrozen = Object.isFrozen; |
337 var defProp = Object.defineProperty; | 338 var defProp = Object.defineProperty; |
338 var call = Function.prototype.call; | 339 var call = Function.prototype.call; |
339 | 340 |
340 function forEachNonPoisonOwn(obj, callback) { | 341 function forEachNonPoisonOwn(obj, callback) { |
341 var list = gopn(obj); | 342 var list = gopn(obj); |
342 var len = list.length; | 343 var len = list.length; |
343 var i, j, name; // crockford rule | 344 var i, j, name; // crockford rule |
344 if (typeof obj === 'function') { | 345 if (typeof obj === 'function') { |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
492 * ctor. methodName must be the name of a method on ctor.prototype | 493 * ctor. methodName must be the name of a method on ctor.prototype |
493 * that, when applied to an exotic object of this exotic type as | 494 * that, when applied to an exotic object of this exotic type as |
494 * this-value, with the provided args list, will return without | 495 * this-value, with the provided args list, will return without |
495 * error, but when applied to any other object as this-value will | 496 * error, but when applied to any other object as this-value will |
496 * throw an error. opt_example, if provided, must be an example of | 497 * throw an error. opt_example, if provided, must be an example of |
497 * such an exotic object that can be used for internal sanity | 498 * such an exotic object that can be used for internal sanity |
498 * checking before returning a brandTester. | 499 * checking before returning a brandTester. |
499 * | 500 * |
500 * <p>Uses Allen's trick from | 501 * <p>Uses Allen's trick from |
501 * https://esdiscuss.org/topic/tostringtag-spoofing-for-null-and-undefined#con tent-59 | 502 * https://esdiscuss.org/topic/tostringtag-spoofing-for-null-and-undefined#con tent-59 |
502 * for brand testing that will remain reliable in ES6. | 503 * for brand testing that will remain reliable in ES6. |
503 * However, testing reveals that, on FF 35.0.1, a proxy on an exotic | 504 * However, testing reveals that, on FF 35.0.1, a proxy on an exotic |
504 * object X will pass this brand test when X will. This is fixed as of | 505 * object X will pass this brand test when X will. This is fixed as of |
505 * FF Nightly 38.0a1. | 506 * FF Nightly 38.0a1. |
506 * | 507 * |
507 * <p>Returns a brandTester function such that, if brandTester(specimen) | 508 * <p>Returns a brandTester function such that, if brandTester(specimen) |
508 * returns true, this is a reliable indicator that specimen actually | 509 * returns true, this is a reliable indicator that specimen actually |
509 * is an exotic object of that type. | 510 * is an exotic object of that type. |
510 * | 511 * |
511 * <p>As a convenience, ctor may be undefined, in which | 512 * <p>As a convenience, ctor may be undefined, in which |
512 * case we assume that there are no exotic objects of that kind. In | 513 * case we assume that there are no exotic objects of that kind. In |
(...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
608 RegExp, 'exec', ['x'], /x/); | 609 RegExp, 'exec', ['x'], /x/); |
609 | 610 |
610 /** | 611 /** |
611 * A reliable brand test for whether specimen has a [[WeakMapData]] | 612 * A reliable brand test for whether specimen has a [[WeakMapData]] |
612 * internal slot. | 613 * internal slot. |
613 */ | 614 */ |
614 var isBuiltinWeakMap = makeBrandTester( | 615 var isBuiltinWeakMap = makeBrandTester( |
615 global.WeakMap, 'get', [{}], global.WeakMap ? new WeakMap() : void 0); | 616 global.WeakMap, 'get', [{}], global.WeakMap ? new WeakMap() : void 0); |
616 | 617 |
617 | 618 |
618 /////////////////////////////////////////// | 619 //////////////// Undeniables and Intrinsics ////////////// |
620 | |
621 | |
622 /** | |
623 * A known strict function which returns its arguments object. | |
624 */ | |
625 function strictArguments() { return arguments; } | |
626 | |
627 /** | |
628 * A known sloppy function which returns its arguments object. | |
629 * | |
630 * Defined using Function so it'll be sloppy (not strict and not | |
631 * builtin). | |
632 */ | |
633 var sloppyArguments = Function('return arguments;'); | |
634 | |
635 /** | |
636 * If present, a known strict generator function which yields its | |
637 * arguments object. | |
638 * | |
639 * <p>TODO: once all supported browsers implement ES6 generators, we | |
640 * can drop the "try"s below, drop the check for old Mozilla | |
641 * generator syntax, and treat strictArgumentsGenerator as | |
642 * unconditional in the test of the code. | |
643 */ | |
644 var strictArgumentsGenerator = void 0; | |
645 try { | |
646 // ES6 syntax | |
647 strictArgumentsGenerator = | |
648 eval('(function*() { "use strict"; yield arguments; })'); | |
649 } catch (ex) { | |
650 if (!(ex instanceof SyntaxError)) { throw ex; } | |
651 try { | |
652 // Old Firefox syntax | |
653 strictArgumentsGenerator = | |
654 eval('(function() { "use strict"; yield arguments; })'); | |
655 } catch (ex2) { | |
656 if (!(ex2 instanceof SyntaxError)) { throw ex2; } | |
657 } | |
658 } | |
659 | |
660 /** | |
661 * The undeniables are the primordial objects which are ambiently | |
662 * reachable via compositions of strict syntax, primitive wrapping | |
663 * (new Object(x)), and prototype navigation (the equivalent of | |
664 * Object.getPrototypeOf(x) or x.__proto__). Although we could in | |
665 * theory monkey patch primitive wrapping or prototype navigation, | |
666 * we won't. Hence, without parsing, the following are undeniable no | |
667 * matter what <i>other</i> monkey patching we do to the primordial | |
668 * environment. | |
669 */ | |
670 function getUndeniables() { | |
671 var gopd = Object.getOwnPropertyDescriptor; | |
672 var getProto = Object.getPrototypeOf; | |
673 | |
674 // The first element of each undeniableTuple is a string used to | |
675 // name the undeniable object for reporting purposes. It has no | |
676 // other programmatic use. | |
677 // | |
678 // The second element of each undeniableTuple should be the | |
679 // undeniable itself. | |
680 // | |
681 // The optional third element of the undeniableTuple, if present, | |
682 // should be an example of syntax, rather than use of a monkey | |
683 // patchable API, evaluating to a value from which the undeniable | |
684 // object in the second element can be reached by only the | |
685 // following steps: | |
686 // If the value is primitve, convert to an Object wrapper. | |
687 // Is the resulting object either the undeniable object, or does | |
688 // it inherit directly from the undeniable object? | |
689 | |
690 var undeniableTuples = [ | |
691 ['Object.prototype', Object.prototype, {}], | |
692 ['Function.prototype', Function.prototype, function(){}], | |
693 ['Array.prototype', Array.prototype, []], | |
694 ['RegExp.prototype', RegExp.prototype, /x/], | |
695 ['Boolean.prototype', Boolean.prototype, true], | |
696 ['Number.prototype', Number.prototype, 1], | |
697 ['String.prototype', String.prototype, 'x'], | |
698 ]; | |
699 var result = {}; | |
700 | |
701 // Get the ES6 %Generator% intrinsic, if present. | |
702 // It is undeniable because individual generator functions inherit | |
703 // from it. | |
704 (function() { | |
705 // See http://people.mozilla.org/~jorendorff/figure-2.png | |
706 // i.e., Figure 2 of section 25.2 "Generator Functions" of the | |
707 // ES6 spec. | |
708 // https://people.mozilla.org/~jorendorff/es6-draft.html#sec-generatorfunc tion-objects | |
709 if (!strictArgumentsGenerator) { return; } | |
710 var Generator = getProto(strictArgumentsGenerator); | |
711 undeniableTuples.push(['%Generator%', Generator, | |
712 strictArgumentsGenerator]); | |
713 strictArgumentsGenerator = strictArgumentsGenerator; | |
714 }()); | |
715 | |
716 strictForEachFn(undeniableTuples, function(tuple) { | |
717 var name = tuple[0]; | |
718 var undeniable = tuple[1]; | |
719 var start = tuple[2]; | |
720 result[name] = undeniable; | |
721 if (start === void 0) { return; } | |
722 start = Object(start); | |
723 if (undeniable === start) { return; } | |
724 if (undeniable === getProto(start)) { return; } | |
725 throw new Error('Unexpected undeniable: ' + undeniable); | |
726 }); | |
727 | |
728 return result; | |
729 } | |
730 ses.getUndeniables = getUndeniables; | |
731 | |
732 // For consistency checking, once we've done all our whitelist | |
733 // processing and monkey patching, we will call getUndeniables again | |
734 // and check that the undeniables are the same. | |
735 ses.earlyUndeniables = getUndeniables(); | |
736 | |
737 | |
738 /** | |
739 * Get the intrinsics not otherwise reachable by named own property | |
740 * traversal. See | |
741 * https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrin sic-objects | |
742 * and the instrinsics section of whitelist.js | |
743 * | |
744 * <p>Unlike getUndeniables(), the result of getAnonIntrinsics() | |
745 * does depend on the current state of the primordials, so we must | |
746 * run this again after all other relevant monkey patching is done, | |
747 * in order to properly initialize cajaVM.intrinsics | |
748 */ | |
749 function getAnonIntrinsics() { | |
750 var gopd = Object.getOwnPropertyDescriptor; | |
751 var getProto = Object.getPrototypeOf; | |
752 var result = {}; | |
753 | |
754 // If there are still other ThrowTypeError objects left after | |
755 // noFuncPoison-ing, this should be caught by | |
756 // test_THROWTYPEERROR_NOT_UNIQUE below, so we assume here that | |
757 // this is the only surviving ThrowTypeError intrinsic. | |
758 result.ThrowTypeError = gopd(arguments, 'caller').get; | |
759 | |
760 // Get the ES6 %ArrayIteratorPrototype%, %StringIteratorPrototype%, | |
761 // and %IteratorPrototype% intrinsics, if present. | |
762 | |
763 // TODO %MapIteratorPrototype%, %SetIteratorPrototype% | |
764 // It is currently safe to omit %MapIteratorPrototype% and | |
765 // %SetIteratorPrototype% since we do not yet whitelist Map and | |
766 // Set. | |
767 (function() { | |
768 var iteratorSym = global.Symbol && global.Symbol.iterator || | |
769 "@@iterator"; // used instead of a symbol on FF35 | |
770 if ([][iteratorSym]) { | |
771 var arrayIter = [][iteratorSym](); | |
772 var ArrayIteratorPrototype = getProto(arrayIter); | |
773 result.ArrayIteratorPrototype = ArrayIteratorPrototype; | |
774 var arrayIterProtoBase = getProto(ArrayIteratorPrototype); | |
775 if (arrayIterProtoBase !== Object.prototype) { | |
776 if (getProto(arrayIterProtoBase) !== Object.prototype) { | |
777 throw new Error( | |
778 '%IteratorPrototype%.__proto__ was not Object.prototype'); | |
779 } | |
780 result.IteratorPrototype = arrayIterProtoBase; | |
781 } | |
782 } | |
783 if (''[iteratorSym]) { | |
784 var stringIter = ''[iteratorSym](); | |
785 var StringIteratorPrototype = getProto(stringIter); | |
786 result.StringIteratorPrototype = StringIteratorPrototype; | |
787 var stringIterProtoBase = getProto(StringIteratorPrototype); | |
788 if (stringIterProtoBase !== Object.prototype) { | |
789 if (!result.IteratorPrototype) { | |
790 if (getProto(stringIterProtoBase) !== Object.prototype) { | |
791 throw new Error( | |
792 '%IteratorPrototype%.__proto__ was not Object.prototype'); | |
793 } | |
794 result.IteratorPrototype = stringIterProtoBase; | |
795 } else { | |
796 if (result.IteratorPrototype !== stringIterProtoBase) { | |
797 throw new Error('unexpected %StringIteratorPrototype%.__proto__'); | |
798 } | |
799 } | |
800 } | |
801 } | |
802 }()); | |
803 | |
804 // Get the ES6 %GeneratorFunction% intrinsic, if present. | |
805 (function() { | |
806 var Generator = ses.earlyUndeniables['%Generator%']; | |
807 if (!Generator || Generator === Function.prototype) { return; } | |
808 if (getProto(Generator) !== Function.prototype) { | |
809 throw new Error('Generator.__proto__ was not Function.prototype'); | |
810 } | |
811 var GeneratorFunction = Generator.constructor; | |
812 if (GeneratorFunction === Function) { return; } | |
813 if (getProto(GeneratorFunction) !== Function) { | |
814 throw new Error('GeneratorFunction.__proto__ was not Function'); | |
815 } | |
816 result.GeneratorFunction = GeneratorFunction; | |
817 var genProtoBase = getProto(Generator.prototype); | |
818 if (genProtoBase !== result.IteratorPrototype && | |
819 genProtoBase !== Object.prototype) { | |
820 throw new Error('Unexpected Generator.prototype.__proto__'); | |
821 } | |
822 }()); | |
823 | |
824 // Get the ES6 %TypedArray% intrinsic, if present. | |
825 (function() { | |
826 if (!global.Float32Array) { return; } | |
827 var TypedArray = getProto(global.Float32Array); | |
828 if (TypedArray === Function.prototype) { return; } | |
829 if (getProto(TypedArray) !== Function.prototype) { | |
830 // http://bespin.cz/~ondras/html/classv8_1_1ArrayBufferView.html | |
831 // has me worried that someone might make such an intermediate | |
832 // object visible. | |
833 throw new Error('TypedArray.__proto__ was not Function.prototype'); | |
834 } | |
835 result.TypedArray = TypedArray; | |
836 }()); | |
837 | |
838 for (var name in result) { | |
839 if (result[name] === void 0) { | |
840 throw new Error('Malformed intrinsic: ' + name); | |
841 } | |
842 } | |
843 | |
844 return result; | |
845 } | |
846 ses.getAnonIntrinsics = getAnonIntrinsics; | |
847 | |
848 var unsafeIntrinsics = getAnonIntrinsics(); | |
849 | |
850 | |
851 ////////////////////////////////////////////////////////// | |
619 | 852 |
620 /** | 853 /** |
621 * Fails if {@code funcBodySrc} does not parse as a strict | 854 * Fails if {@code funcBodySrc} does not parse as a strict |
622 * FunctionBody. | 855 * FunctionBody. |
623 * | 856 * |
624 * <p>ses.verifyStrictFunctionBody is exported from repairES5 | 857 * <p>ses.verifyStrictFunctionBody is exported from repairES5 |
625 * because the best way to perform this verification on a given | 858 * because the best way to perform this verification on a given |
626 * platform depends on whether the platform's Function constructor | 859 * platform depends on whether the platform's Function constructor |
627 * <a href= | 860 * <a href= |
628 * "https://code.google.com/p/google-caja/issues/detail?id=1616" | 861 * "https://code.google.com/p/google-caja/issues/detail?id=1616" |
(...skipping 2224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2853 if (desc === undefined) { return false; } | 3086 if (desc === undefined) { return false; } |
2854 if (desc.configurable) { return false; } | 3087 if (desc.configurable) { return false; } |
2855 if (desc.value === null && desc.configurable === false) { | 3088 if (desc.value === null && desc.configurable === false) { |
2856 // the problematic-for-us case, known to occur in Chrome 25.0.1364.172 | 3089 // the problematic-for-us case, known to occur in Chrome 25.0.1364.172 |
2857 return true; | 3090 return true; |
2858 } | 3091 } |
2859 return 'Unexpected __proto__ own property descriptor, enumerable: ' + | 3092 return 'Unexpected __proto__ own property descriptor, enumerable: ' + |
2860 desc.enumerable + ', value: ' + desc.value; | 3093 desc.enumerable + ', value: ' + desc.value; |
2861 } | 3094 } |
2862 | 3095 |
2863 function getThrowTypeError() { | |
2864 return Object.getOwnPropertyDescriptor(arguments, 'caller').get; | |
2865 } | |
2866 | |
2867 /** | 3096 /** |
2868 * A known strict function which returns its arguments object. | 3097 * %ThrowTypeError% is not unique (even after whatever cleanup was |
2869 */ | 3098 * already done during the noFuncPoison testing above). |
2870 function strictArguments() { return arguments; } | |
2871 | |
2872 /** | |
2873 * A known sloppy function which returns its arguments object. | |
2874 * | |
2875 * Defined using Function so it'll be sloppy (not strict and not | |
2876 * builtin). | |
2877 */ | |
2878 var sloppyArguments = Function('return arguments;'); | |
2879 | |
2880 /** | |
2881 * [[ThrowTypeError]] is not unique (even after whatever cleanup was | |
2882 * already done during the noPoison testing above). | |
2883 */ | 3099 */ |
2884 function test_THROWTYPEERROR_NOT_UNIQUE() { | 3100 function test_THROWTYPEERROR_NOT_UNIQUE() { |
2885 var tte = getThrowTypeError(); | 3101 var tte = unsafeIntrinsics.ThrowTypeError; |
2886 if (typeof tte !== 'function') { | 3102 if (typeof tte !== 'function') { |
2887 return 'Unexpected [[ThrowTypeError]]: ' + tte; | 3103 return 'Unexpected %ThrowTypeError%: ' + tte; |
2888 } | 3104 } |
2889 var others = []; | 3105 var others = []; |
2890 strictForEachFn([ | 3106 var sourcesOfTTE = [ |
2891 [Function.prototype, 'Function.prototype', ['caller', 'arguments']], | 3107 [Function.prototype, 'Function.prototype', ['caller', 'arguments']], |
2892 [builtInMapMethod, 'builtin function', ['caller', 'arguments']], | 3108 [builtInMapMethod, 'builtin function', ['caller', 'arguments']], |
2893 [strictArguments, 'strict function', ['caller', 'arguments']], | 3109 [strictArguments, 'strict function', ['caller', 'arguments']], |
2894 [sloppyArguments, 'sloppy function', ['caller', 'arguments']], | 3110 [sloppyArguments, 'sloppy function', ['caller', 'arguments']], |
2895 [strictArguments(), 'strict arguments', ['caller', 'callee']], | 3111 [strictArguments(), 'strict arguments', ['caller', 'callee']], |
2896 [sloppyArguments(), 'sloppy arguments', ['caller', 'callee']] | 3112 [sloppyArguments(), 'sloppy arguments', ['caller', 'callee']] |
2897 ], function(triple) { | 3113 ]; |
2898 var base = triple[0]; | 3114 if (strictArgumentsGenerator) { |
2899 var where = triple[1]; | 3115 var strictGeneratedArgs = strictArgumentsGenerator().next().value; |
2900 var names = triple[2]; | 3116 sourcesOfTTE.push( |
3117 [strictArgumentsGenerator, 'strict generator', ['caller', 'arguments']], | |
3118 [strictGeneratedArgs, 'strict generated arguments', | |
3119 ['caller', 'callee']]); | |
3120 } | |
3121 var Generator = ses.earlyUndeniables['%Generator%']; | |
3122 if (Generator) { | |
3123 sourcesOfTTE.push([Generator, '%Generator%', ['caller', 'arguments']]); | |
3124 } | |
3125 var GeneratorFunction = unsafeIntrinsics.GeneratorFunction; | |
3126 if (GeneratorFunction) { | |
3127 sourcesOfTTE.push([GeneratorFunction, '%GeneratorFunction%', | |
3128 ['caller', 'arguments']]); | |
3129 } | |
3130 | |
3131 strictForEachFn(sourcesOfTTE, function(sourceOfTTE) { | |
3132 var base = sourceOfTTE[0]; | |
3133 var where = sourceOfTTE[1]; | |
3134 var names = sourceOfTTE[2]; | |
2901 strictForEachFn(names, function(name) { | 3135 strictForEachFn(names, function(name) { |
2902 var desc = Object.getOwnPropertyDescriptor(base, name); | 3136 var desc = Object.getOwnPropertyDescriptor(base, name); |
2903 if (!desc) { return; } | 3137 if (!desc) { return; } |
2904 strictForEachFn(['get', 'set'], function (attr) { | 3138 strictForEachFn(['get', 'set'], function (attr) { |
2905 var otherTTE = desc[attr]; | 3139 var otherTTE = desc[attr]; |
2906 if (!otherTTE || otherTTE === tte) { return; } | 3140 if (!otherTTE || otherTTE === tte) { return; } |
2907 others.push(where + ' ' + attr + ' ' + name); | 3141 others.push(where + ' ' + attr + ' ' + name); |
2908 }); | 3142 }); |
2909 }); | 3143 }); |
2910 }); | 3144 }); |
2911 if (others.length === 0) { return false; } | 3145 if (others.length === 0) { return false; } |
2912 return 'Multiple [[ThrowTypeError]]s: ' + others.join(', '); | 3146 return 'Multiple %ThrowTypeError%s: ' + others.join(', '); |
2913 } | 3147 } |
2914 | 3148 |
2915 /** | 3149 /** |
2916 * [[ThrowTypeError]] is extensible or has modifiable properties. | 3150 * %ThrowTypeError% is extensible or has modifiable properties. |
2917 */ | 3151 */ |
2918 function test_THROWTYPEERROR_UNFROZEN() { | 3152 function test_THROWTYPEERROR_UNFROZEN() { |
2919 return !Object.isFrozen(getThrowTypeError()); | 3153 return !Object.isFrozen(unsafeIntrinsics.ThrowTypeError); |
2920 } | 3154 } |
2921 | 3155 |
2922 /** | 3156 /** |
2923 * [[ThrowTypeError]] has properties which the spec gives to other function | 3157 * %ThrowTypeError% has properties which the spec gives to other function |
2924 * objects but not [[ThrowTypeError]]. | 3158 * objects but not %ThrowTypeError%. |
2925 * | 3159 * |
2926 * We don't check for arbitrary properties because they might be extensions | 3160 * We don't check for arbitrary properties because they might be extensions |
2927 * for all function objects, which we don't particularly want to complain | 3161 * for all function objects, which we don't particularly want to complain |
2928 * about (and will delete via whitelisting). | 3162 * about (and will delete via whitelisting). |
2929 */ | 3163 */ |
2930 function test_THROWTYPEERROR_PROPERTIES() { | 3164 function test_THROWTYPEERROR_PROPERTIES() { |
2931 var tte = getThrowTypeError(); | 3165 var tte = unsafeIntrinsics.ThrowTypeError; |
2932 return !!Object.getOwnPropertyDescriptor(tte, 'prototype') || | 3166 return !!Object.getOwnPropertyDescriptor(tte, 'prototype') || |
2933 !!Object.getOwnPropertyDescriptor(tte, 'arguments') || | 3167 !!Object.getOwnPropertyDescriptor(tte, 'arguments') || |
2934 !!Object.getOwnPropertyDescriptor(tte, 'caller'); | 3168 !!Object.getOwnPropertyDescriptor(tte, 'caller'); |
2935 } | 3169 } |
2936 | 3170 |
2937 /** | 3171 /** |
2938 * See https://code.google.com/p/v8/issues/detail?id=2728 | 3172 * See https://code.google.com/p/v8/issues/detail?id=2728 |
2939 * and https://code.google.com/p/google-caja/issues/detail?id=1616 | 3173 * and https://code.google.com/p/google-caja/issues/detail?id=1616 |
2940 */ | 3174 */ |
2941 function test_SYNTAX_ERRORS_ARENT_ALWAYS_EARLY() { | 3175 function test_SYNTAX_ERRORS_ARENT_ALWAYS_EARLY() { |
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3180 } else { | 3414 } else { |
3181 return 'Unexpected prototype identity from setting a function\'s ' + | 3415 return 'Unexpected prototype identity from setting a function\'s ' + |
3182 'prototype with defineProperty.'; | 3416 'prototype with defineProperty.'; |
3183 } | 3417 } |
3184 } else { | 3418 } else { |
3185 return 'Unexpected result of setting a function\'s prototype ' + | 3419 return 'Unexpected result of setting a function\'s prototype ' + |
3186 'with defineProperty: ' + typeof bar.prototype; | 3420 'with defineProperty: ' + typeof bar.prototype; |
3187 } | 3421 } |
3188 } | 3422 } |
3189 | 3423 |
3424 /** | |
3425 * In ES6, the constructor property of the %Generator% intrinsic | |
3426 * initially points at the unsafe %GeneratorFunction% intrinsic. This | |
3427 * property is supposed to have attributes | |
3428 * { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true } | |
3429 * Prior to 2/19/2015, on v8 it had attributes | |
3430 * { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: false } | |
3431 * making it impossible to change the property's value. | |
3432 * | |
3433 * <p>Since the original %GeneratorFunction% intrinsic, like the | |
3434 * global Function constructor, accepts a function body which it | |
3435 * executes in the global scope, it would be reachable by any | |
3436 * generator. Without parsing, we would not be able to prevent | |
3437 * the following expression | |
3438 * <pre> | |
3439 * (function*(){}).constructor('yield window;')().next().value | |
3440 * </pre> | |
3441 * from providing the genuine global window object of that realm. | |
3442 */ | |
3443 function test_GENERATORFUNCTION_CANNOT_BE_DENIED() { | |
3444 var gopd = Object.getOwnPropertyDescriptor; | |
3445 var getProto = Object.getPrototypeOf; | |
3446 | |
3447 var UnsafeGeneratorFunction = unsafeIntrinsics.GeneratorFunction; | |
3448 if (!UnsafeGeneratorFunction) { return false; } | |
3449 var Generator = ses.earlyUndeniables['%Generator%']; | |
3450 if (!(Generator && | |
3451 Generator.constructor === UnsafeGeneratorFunction && | |
3452 UnsafeGeneratorFunction.prototype === Generator && | |
3453 getProto(UnsafeGeneratorFunction) === UnsafeFunction && | |
3454 getProto(Generator) === Function.prototype)) { | |
3455 return 'Unexpected primordial Generator arrangement'; | |
3456 } | |
3457 var desc = gopd(Generator, 'constructor'); | |
3458 return desc.writable === false && desc.configurable === false; | |
3459 } | |
3460 | |
3461 /** | |
3462 * ES6 introduces a new "import" special form syntax, which imports | |
3463 * access to modules that we cannot currently control. Therefore, if | |
3464 * we cannot prevent use of the "import" syntax, we lose | |
3465 * isolation. Fortunately, the "import" syntax can only legally | |
3466 * occur with modules, not within the text that the original eval, | |
3467 * Function, or %GeneratorFunction% would accept. Since untrusted | |
3468 * code enters a SES environment only through these, we should be | |
3469 * safe. | |
3470 * | |
3471 * <p>This test checks that this assumption indeed holds for the | |
3472 * current platform. | |
3473 */ | |
3474 function test_IMPORT_CAN_BE_EVALLED() { | |
3475 // From Table 40 at | |
3476 // https://people.mozilla.org/~jorendorff/es6-draft.html#sec-source-text-mod ule-records | |
3477 // The following test will actually attempt to eval the following | |
3478 // strings, so it is important that there not be strings here that | |
3479 // can do damage if this eval succeeds during SES | |
3480 // initialization. This is before any untrusted code runs in this | |
3481 // realm, so we assume that no module named __noModWithThisName__ | |
3482 // is yet importable. | |
3483 var importExamples = [ | |
3484 'import v from "__noModWithThisName__";', | |
3485 'import * as ns from "__noModWithThisName__";', | |
3486 'import {x} from "__noModWithThisName__";', | |
3487 'import {x as v} from "__noModWithThisName__";', | |
3488 'import "__noModWithThisName__";']; | |
3489 var evallers = [unsafeEval, UnsafeFunction]; | |
3490 if (unsafeIntrinsics.GeneratorFunction) { | |
3491 evallers.push(unsafeIntrinsics.GeneratorFunction); | |
3492 } | |
3493 for (var i = 0; i < importExamples.length; i++) { | |
3494 for (var j = 0; j < evallers.length; j++) { | |
3495 try { | |
3496 evallers[j](importExamples[i]); | |
3497 return true; | |
3498 } catch (ex) { | |
3499 if (!(ex instanceof SyntaxError)) { | |
3500 return 'unexpected "' + importExamples[i] + '" failure: ' + ex; | |
3501 } | |
3502 } | |
3503 } | |
3504 } | |
3505 return false; | |
3506 } | |
3507 | |
3508 /** | |
3509 * Detects https://bugs.webkit.org/show_bug.cgi?id=141865 | |
3510 * | |
3511 * <p>On Safari 7.0.5 (9537.77.4), the getter of the | |
3512 * Object.prototype.__proto__ property, if applied to undefined, | |
3513 * acts like a sloppy function would, coercing the undefined to the | |
3514 * global object and returning the global object's [[Prototype]]. | |
3515 */ | |
3516 function test_UNDERBAR_PROTO_GETTER_USES_GLOBAL() { | |
3517 var gopd = Object.getOwnPropertyDescriptor; | |
3518 var getProto = Object.getPrototypeOf; | |
3519 | |
3520 var desc = gopd(Object.prototype, '__proto__'); | |
3521 if (!desc) { return false; } | |
3522 if (!desc.get) { return false; } | |
3523 var globalProto = void 0; | |
3524 try { | |
3525 globalProto = (1,desc.get)(); | |
3526 } catch (ex) { | |
3527 if (ex instanceof TypeError && globalProto === void 0) { | |
3528 return false; | |
3529 } | |
3530 return 'unexpected error: ' + ex; | |
3531 } | |
3532 if (getProto(global) === globalProto) { return true; } | |
3533 return 'unexpected global.__proto__: ' + globalProto; | |
3534 } | |
3535 | |
3536 /** | |
3537 * Detects https://bugs.webkit.org/show_bug.cgi?id=141865 | |
3538 * | |
3539 * <p>On Safari 7.0.5 (9537.77.4), the setter of the | |
3540 * Object.prototype.__proto__ property, if applied to undefined, | |
3541 * acts like a sloppy function would, coercing the undefined to the | |
3542 * global object and setting its [[Prototype]]. | |
3543 */ | |
3544 function test_UNDERBAR_PROTO_SETTER_USES_GLOBAL() { | |
3545 var gopd = Object.getOwnPropertyDescriptor; | |
3546 var getProto = Object.getPrototypeOf; | |
3547 | |
3548 var desc = gopd(Object.prototype, '__proto__'); | |
3549 if (!desc) { return false; } | |
3550 if (!desc.set) { return false; } | |
3551 var globalProto = getProto(global); | |
3552 // Just insert an intermediate object into the prototype chain of the | |
3553 // global object, so this realm is left in a usable state. | |
3554 var splicedProto = Object.create(globalProto); | |
3555 try { | |
3556 (1,desc.set)(splicedProto); | |
3557 } catch (ex) { | |
3558 if (ex instanceof TypeError && getProto(global) === globalProto) { | |
3559 return false; | |
3560 } | |
3561 return 'unexpected error: ' + ex; | |
3562 } | |
3563 if (getProto(global) === splicedProto) { return true; } | |
3564 return 'unexpected global.__proto__: ' + getProto(global); | |
3565 } | |
3566 | |
3567 /** | |
3568 * Detects https://bugs.webkit.org/show_bug.cgi?id=141871 | |
3569 * | |
3570 * <p>On Safari 7.0.5 (9537.77.4), throwing a frozen object results | |
3571 * in the object | |
kpreid2
2015/02/23 22:26:57
incomplete
MarkM
2015/02/23 23:13:35
Done.
| |
3572 */ | |
3573 function test_THROWING_THAWS_FROZEN_OBJECT() { | |
3574 var o = Object.freeze([1, 2]); | |
3575 if (!Object.isFrozen(o)) { | |
3576 return 'Unexpected spontaneous thaw'; | |
3577 } | |
3578 var oldNames = Object.getOwnPropertyNames(o); | |
3579 try { | |
3580 throw o; | |
3581 } catch (e) { | |
3582 if (e !== o) { | |
3583 return 'What was thrown is not what was caught'; | |
3584 } | |
3585 if (Object.isFrozen(e)) { | |
3586 var newNames = Object.getOwnPropertyNames(o); | |
3587 if (oldNames.length !== newNames.length) { | |
3588 return 'Throwing changed properties: ' + newNames; | |
kpreid2
2015/02/23 22:26:57
Aren't we expecting the length to increase, since
MarkM
2015/02/23 23:13:35
No, this is intended, but I can see why it is conf
| |
3589 } | |
3590 for (var i = 0; i < newNames.length; i++) { | |
3591 if (oldNames.indexOf(newNames[i]) === -1) { | |
kpreid2
2015/02/23 22:26:57
This is testing a property was gained, not lost.
MarkM
2015/02/23 23:13:34
What I was checking for was actually quite silly:
| |
3592 return 'Throwing lost property: ' + newNames[i]; | |
3593 } | |
3594 } | |
3595 return false; | |
3596 } | |
3597 var oldStack = e.stack; | |
3598 var capLeak = {}; | |
3599 try { | |
3600 e.stack = capLeak; | |
3601 } catch (err) { | |
3602 if (e.stack === oldStack) { | |
3603 throw 'Unexpected failure to leak: ' + err; | |
3604 } | |
3605 } | |
3606 if (e.stack === capLeak) { return true; } | |
3607 } | |
3608 return 'Unexpected result of throwing frozen object'; | |
3609 } | |
3610 | |
3611 | |
3190 ////////////////////// Repairs ///////////////////// | 3612 ////////////////////// Repairs ///////////////////// |
3191 // | 3613 // |
3192 // Each repair_NAME function exists primarily to repair the problem | 3614 // Each repair_NAME function exists primarily to repair the problem |
3193 // indicated by the corresponding test_NAME function. But other test | 3615 // indicated by the corresponding test_NAME function. But other test |
3194 // failures can still trigger a given repair. | 3616 // failures can still trigger a given repair. |
3195 | 3617 |
3196 | 3618 |
3197 var call = Function.prototype.call; | 3619 var call = Function.prototype.call; |
3198 var apply = Function.prototype.apply; | 3620 var apply = Function.prototype.apply; |
3199 | 3621 |
(...skipping 618 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3818 // conflicting with the caller-specified property names, without | 4240 // conflicting with the caller-specified property names, without |
3819 // needing to examine props twice. | 4241 // needing to examine props twice. |
3820 if (props !== undefined) { | 4242 if (props !== undefined) { |
3821 Object.defineProperties(o, props); | 4243 Object.defineProperties(o, props); |
3822 } | 4244 } |
3823 return o; | 4245 return o; |
3824 } | 4246 } |
3825 }); | 4247 }); |
3826 } | 4248 } |
3827 | 4249 |
4250 /** | |
4251 * Repairs both getter and setter. If either are vulnerable, I don't | |
4252 * care if the other seemed to pass the test. Better to make them | |
4253 * both safe. | |
4254 */ | |
4255 function repair_UNDERBAR_PROTO_accessors_USE_GLOBAL() { | |
4256 var gopd = Object.getOwnPropertyDescriptor; | |
4257 | |
4258 var oldDesc = gopd(Object.prototype, '__proto__'); | |
4259 var oldGetter = oldDesc.get; | |
4260 var oldSetter = oldDesc.set; | |
4261 function newGetter() { | |
4262 if (this === null || this === void 0) { | |
4263 throw new TypeError('Cannot convert null or undefined to object'); | |
4264 } else { | |
4265 return oldGetter.call(this); | |
4266 } | |
4267 } | |
4268 function newSetter(newProto) { | |
4269 if (this === null || this === void 0) { | |
4270 throw new TypeError('Cannot convert null or undefined to object'); | |
4271 } else { | |
4272 oldSetter.call(this, newProto); | |
4273 } | |
4274 } | |
4275 Object.defineProperty(Object.prototype, '__proto__', { | |
4276 get: oldGetter ? newGetter : void 0, | |
4277 set: oldSetter ? newSetter : void 0 | |
4278 }); | |
4279 } | |
4280 | |
3828 ////////////////////// Generic tests/repairs ///////////////////// | 4281 ////////////////////// Generic tests/repairs ///////////////////// |
3829 // | 4282 // |
3830 // These are tests and repairs which follow a pattern, such that it is | 4283 // These are tests and repairs which follow a pattern, such that it is |
3831 // more practical to define them programmatically. | 4284 // more practical to define them programmatically. |
3832 | 4285 |
3833 function arrayPutProblem(destination, | 4286 function arrayPutProblem(destination, |
3834 prop, testArgs, i, expected, kind, opt_repair) { | 4287 prop, testArgs, i, expected, kind, opt_repair) { |
3835 var pos = ['first', 'last'][i]; | 4288 var pos = ['first', 'last'][i]; |
3836 var descs = { | 4289 var descs = { |
3837 readonly: {writable: false, configurable: false}, | 4290 readonly: {writable: false, configurable: false}, |
(...skipping 667 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
4505 { | 4958 { |
4506 id: 'BOUND_FUNCTION_LEAKS_ARGUMENTS', | 4959 id: 'BOUND_FUNCTION_LEAKS_ARGUMENTS', |
4507 description: 'Bound functions leak "arguments"', | 4960 description: 'Bound functions leak "arguments"', |
4508 test: test_BOUND_FUNCTION_LEAKS_ARGUMENTS, | 4961 test: test_BOUND_FUNCTION_LEAKS_ARGUMENTS, |
4509 repair: void 0, | 4962 repair: void 0, |
4510 preSeverity: severities.NOT_OCAP_SAFE, | 4963 preSeverity: severities.NOT_OCAP_SAFE, |
4511 canRepair: false, // Long-dead bug, not worth keeping old repair around | 4964 canRepair: false, // Long-dead bug, not worth keeping old repair around |
4512 urls: ['https://code.google.com/p/v8/issues/detail?id=893', | 4965 urls: ['https://code.google.com/p/v8/issues/detail?id=893', |
4513 'https://bugs.webkit.org/show_bug.cgi?id=63398'], | 4966 'https://bugs.webkit.org/show_bug.cgi?id=63398'], |
4514 sections: ['15.3.4.5'], | 4967 sections: ['15.3.4.5'], |
4515 tests: ['test/language/statements/function/S13.2.3_A1.js', | 4968 tests: ['test/language/statements/function/S13.2.3_A1.js', |
4516 'test/built-ins/Function/prototype/bind/S15.3.4.5_A2.js'] | 4969 'test/built-ins/Function/prototype/bind/S15.3.4.5_A2.js'] |
4517 }, | 4970 }, |
4518 { | 4971 { |
4519 id: 'DELETED_BUILTINS_IN_OWN_NAMES', | 4972 id: 'DELETED_BUILTINS_IN_OWN_NAMES', |
4520 description: 'Deleting built-in leaves phantom behind', | 4973 description: 'Deleting built-in leaves phantom behind', |
4521 test: test_DELETED_BUILTINS_IN_OWN_NAMES, | 4974 test: test_DELETED_BUILTINS_IN_OWN_NAMES, |
4522 repair: void 0, | 4975 repair: void 0, |
4523 preSeverity: severities.SAFE_SPEC_VIOLATION, | 4976 preSeverity: severities.SAFE_SPEC_VIOLATION, |
4524 canRepair: false, // Long-dead bug, not worth keeping old repair around | 4977 canRepair: false, // Long-dead bug, not worth keeping old repair around |
4525 urls: ['https://bugs.webkit.org/show_bug.cgi?id=70207'], | 4978 urls: ['https://bugs.webkit.org/show_bug.cgi?id=70207'], |
(...skipping 362 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
4888 test: test_FREEZING_BREAKS_WEAKMAP, | 5341 test: test_FREEZING_BREAKS_WEAKMAP, |
4889 repair: repair_FREEZING_BREAKS_WEAKMAP, | 5342 repair: repair_FREEZING_BREAKS_WEAKMAP, |
4890 preSeverity: severities.UNSAFE_SPEC_VIOLATION, | 5343 preSeverity: severities.UNSAFE_SPEC_VIOLATION, |
4891 canRepair: true, | 5344 canRepair: true, |
4892 urls: ['https://code.google.com/p/v8/issues/detail?id=2829'], | 5345 urls: ['https://code.google.com/p/v8/issues/detail?id=2829'], |
4893 sections: [], // TODO(kpreid): cite when ES6 is final | 5346 sections: [], // TODO(kpreid): cite when ES6 is final |
4894 tests: [] // TODO(kpreid): cite when ES6 is final | 5347 tests: [] // TODO(kpreid): cite when ES6 is final |
4895 }, | 5348 }, |
4896 { | 5349 { |
4897 id: 'THROWTYPEERROR_NOT_UNIQUE', | 5350 id: 'THROWTYPEERROR_NOT_UNIQUE', |
4898 description: '[[ThrowTypeError]] is not unique', | 5351 description: '%ThrowTypeError% is not unique', |
4899 test: test_THROWTYPEERROR_NOT_UNIQUE, | 5352 test: test_THROWTYPEERROR_NOT_UNIQUE, |
4900 repair: void 0, | 5353 repair: void 0, |
4901 preSeverity: severities.UNSAFE_SPEC_VIOLATION, | 5354 preSeverity: severities.UNSAFE_SPEC_VIOLATION, |
4902 canRepair: false, | 5355 canRepair: false, |
4903 urls: [], | 5356 urls: [], |
4904 sections: [], | 5357 sections: [], |
4905 tests: [] | 5358 tests: [] |
4906 }, | 5359 }, |
4907 { | 5360 { |
4908 id: 'THROWTYPEERROR_UNFROZEN', | 5361 id: 'THROWTYPEERROR_UNFROZEN', |
4909 description: '[[ThrowTypeError]] is not frozen', | 5362 description: '%ThrowTypeError% is not frozen', |
4910 test: test_THROWTYPEERROR_UNFROZEN, | 5363 test: test_THROWTYPEERROR_UNFROZEN, |
4911 repair: void 0, | 5364 repair: void 0, |
4912 preSeverity: severities.SAFE_SPEC_VIOLATION, // Note: Safe only because | 5365 preSeverity: severities.SAFE_SPEC_VIOLATION, // Note: Safe only because |
4913 // startSES will do whitelist and defense; per spec intent it's an | 5366 // startSES will do whitelist and defense; per spec intent it's an |
4914 // undesired communication channel. | 5367 // undesired communication channel. |
4915 canRepair: false, // will be repaired by whitelist | 5368 canRepair: false, // will be repaired by whitelist |
4916 urls: ['https://bugs.webkit.org/show_bug.cgi?id=108873'], | 5369 urls: ['https://bugs.webkit.org/show_bug.cgi?id=108873'], |
4917 // TODO(kpreid): find or file Firefox bug (writable props) | 5370 // TODO(kpreid): find or file Firefox bug (writable props) |
4918 // TODO(kpreid): find or file Chrome bug (has a .prototype) | 5371 // TODO(kpreid): find or file Chrome bug (has a .prototype) |
4919 sections: ['13.2.3'], | 5372 sections: ['13.2.3'], |
4920 tests: [] // TODO(jasvir): Add to test262 | 5373 tests: [] // TODO(jasvir): Add to test262 |
4921 }, | 5374 }, |
4922 { | 5375 { |
4923 id: 'THROWTYPEERROR_PROPERTIES', | 5376 id: 'THROWTYPEERROR_PROPERTIES', |
4924 description: '[[ThrowTypeError]] has normal function properties', | 5377 description: '%ThrowTypeError% has normal function properties', |
4925 test: test_THROWTYPEERROR_PROPERTIES, | 5378 test: test_THROWTYPEERROR_PROPERTIES, |
4926 repair: void 0, | 5379 repair: void 0, |
4927 preSeverity: severities.SAFE_SPEC_VIOLATION, | 5380 preSeverity: severities.SAFE_SPEC_VIOLATION, |
4928 canRepair: false, // will be repaired by whitelist | 5381 canRepair: false, // will be repaired by whitelist |
4929 urls: [], | 5382 urls: [], |
4930 // WebKit is OK | 5383 // WebKit is OK |
4931 // TODO(kpreid): find or file Firefox bug (has writable props) | 5384 // TODO(kpreid): find or file Firefox bug (has writable props) |
4932 // TODO(kpreid): find or file Chrome bug (has a .prototype!) | 5385 // TODO(kpreid): find or file Chrome bug (has a .prototype!) |
4933 sections: ['13.2.3'], | 5386 sections: ['13.2.3'], |
4934 tests: [] // TODO(jasvir): Add to test262 | 5387 tests: [] // TODO(jasvir): Add to test262 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5002 id: 'NUMERIC_PROPERTIES_INVISIBLE', | 5455 id: 'NUMERIC_PROPERTIES_INVISIBLE', |
5003 description: 'Numeric properties not reflectable on create()d objects', | 5456 description: 'Numeric properties not reflectable on create()d objects', |
5004 test: test_NUMERIC_PROPERTIES_INVISIBLE, | 5457 test: test_NUMERIC_PROPERTIES_INVISIBLE, |
5005 repair: repair_NUMERIC_PROPERTIES_INVISIBLE, | 5458 repair: repair_NUMERIC_PROPERTIES_INVISIBLE, |
5006 preSeverity: severities.UNSAFE_SPEC_VIOLATION, | 5459 preSeverity: severities.UNSAFE_SPEC_VIOLATION, |
5007 canRepair: true, | 5460 canRepair: true, |
5008 urls: ['http://webreflection.blogspot.co.uk/2014/04/all-ie-objects-are-bro ken.html'], | 5461 urls: ['http://webreflection.blogspot.co.uk/2014/04/all-ie-objects-are-bro ken.html'], |
5009 // TODO(kpreid): link Microsoft info page when available | 5462 // TODO(kpreid): link Microsoft info page when available |
5010 sections: ['8.12.6'], | 5463 sections: ['8.12.6'], |
5011 tests: [] // TODO(kpreid): contribute tests | 5464 tests: [] // TODO(kpreid): contribute tests |
5465 }, | |
5466 { | |
5467 id: 'GENERATORFUNCTION_CANNOT_BE_DENIED', | |
5468 description: 'Cannot deny access to unsafe %GeneratorFunction%', | |
5469 test: test_GENERATORFUNCTION_CANNOT_BE_DENIED, | |
5470 repair: void 0, | |
5471 preSeverity: severities.NOT_ISOLATED, | |
5472 canRepair: false, | |
5473 urls: ['https://code.google.com/p/google-caja/issues/detail?id=1953', | |
5474 'https://code.google.com/p/v8/issues/detail?id=3902', | |
5475 'https://code.google.com/p/chromium/issues/detail?id=460145', | |
5476 'https://people.mozilla.org/~jorendorff/es6-draft.html#sec-generato rfunction.prototype.constructor'], | |
5477 sections: [], | |
5478 tests: [] | |
5479 }, | |
5480 { | |
5481 id: 'IMPORT_CAN_BE_EVALLED', | |
5482 description: 'Import statement evaluates outside module source text', | |
5483 test: test_IMPORT_CAN_BE_EVALLED, | |
5484 repair: void 0, | |
5485 preSeverity: severities.NOT_ISOLATED, | |
5486 canRepair: false, | |
5487 urls: [], | |
5488 sections: [], | |
5489 tests: [] | |
5490 }, | |
5491 { | |
5492 id: 'UNDERBAR_PROTO_GETTER_USES_GLOBAL', | |
5493 description: 'The getter of __proto__ coerces "this" to global', | |
5494 test: test_UNDERBAR_PROTO_GETTER_USES_GLOBAL, | |
5495 repair: repair_UNDERBAR_PROTO_accessors_USE_GLOBAL, | |
5496 preSeverity: severities.NOT_ISOLATED, | |
5497 canRepair: true, | |
5498 urls: ['https://bugs.webkit.org/show_bug.cgi?id=141865'], | |
5499 sections: [], | |
5500 tests: [] | |
5501 }, | |
5502 { | |
5503 id: 'UNDERBAR_PROTO_SETTER_USES_GLOBAL', | |
5504 description: 'The setter of __proto__ coerces "this" to global', | |
5505 test: test_UNDERBAR_PROTO_SETTER_USES_GLOBAL, | |
5506 repair: repair_UNDERBAR_PROTO_accessors_USE_GLOBAL, | |
5507 preSeverity: severities.NOT_ISOLATED, | |
5508 canRepair: true, | |
5509 urls: ['https://bugs.webkit.org/show_bug.cgi?id=141865'], | |
5510 sections: [], | |
5511 tests: [] | |
5512 }, | |
5513 { | |
5514 id: 'THROWING_THAWS_FROZEN_OBJECT', | |
5515 description: 'Throwing a frozen object opens a capability leak', | |
5516 test: test_THROWING_THAWS_FROZEN_OBJECT, | |
5517 repair: void 0, | |
5518 preSeverity: severities.NOT_ISOLATED, | |
5519 canRepair: false, | |
5520 urls: ['https://bugs.webkit.org/show_bug.cgi?id=141871', | |
5521 'https://bugs.webkit.org/show_bug.cgi?id=141878'], | |
5522 sections: [], | |
5523 tests: [] | |
5012 } | 5524 } |
5013 ]; | 5525 ]; |
5014 | 5526 |
5015 // SPLICE_PUT_IGNORES_FIRST_READONLY | 5527 // SPLICE_PUT_IGNORES_FIRST_READONLY |
5016 // SPLICE_PUT_DOESNT_THROW_FIRST_READONLY | 5528 // SPLICE_PUT_DOESNT_THROW_FIRST_READONLY |
5017 // SPLICE_PUT_IGNORES_FIRST_NON_WRITABLE | 5529 // SPLICE_PUT_IGNORES_FIRST_NON_WRITABLE |
5018 // SPLICE_PUT_DOESNT_THROW_FIRST_NON_WRITABLE | 5530 // SPLICE_PUT_DOESNT_THROW_FIRST_NON_WRITABLE |
5019 // SPLICE_PUT_IGNORES_LAST_READONLY | 5531 // SPLICE_PUT_IGNORES_LAST_READONLY |
5020 // SPLICE_PUT_DOESNT_THROW_LAST_READONLY | 5532 // SPLICE_PUT_DOESNT_THROW_LAST_READONLY |
5021 arrayPutProblem(supportedProblems, | 5533 arrayPutProblem(supportedProblems, |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5157 ses.es5ProblemReports = indexedReports; | 5669 ses.es5ProblemReports = indexedReports; |
5158 } catch (err) { | 5670 } catch (err) { |
5159 ses._repairer.updateMaxSeverity(ses.severities.NOT_SUPPORTED); | 5671 ses._repairer.updateMaxSeverity(ses.severities.NOT_SUPPORTED); |
5160 var during = ses._repairer.wasDoing(); | 5672 var during = ses._repairer.wasDoing(); |
5161 logger.error('ES5 Repair ' + during + 'failed with: ', err); | 5673 logger.error('ES5 Repair ' + during + 'failed with: ', err); |
5162 } | 5674 } |
5163 | 5675 |
5164 logger.reportMax(); | 5676 logger.reportMax(); |
5165 | 5677 |
5166 })(this); | 5678 })(this); |
OLD | NEW |