OLD | NEW |
1 // Copyright (C) 2011 Google Inc. | 1 // Copyright (C) 2011 Google Inc. |
2 // | 2 // |
3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
6 // | 6 // |
7 // https://www.apache.org/licenses/LICENSE-2.0 | 7 // https://www.apache.org/licenses/LICENSE-2.0 |
8 // | 8 // |
9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
(...skipping 15 matching lines...) Expand all Loading... |
26 * <p>Ignore the "...requires ___global_test_function___" below. We | 26 * <p>Ignore the "...requires ___global_test_function___" below. We |
27 * create it, use it, and delete it all within this module. But we | 27 * create it, use it, and delete it all within this module. But we |
28 * need to lie to the linter since it can't tell. | 28 * need to lie to the linter since it can't tell. |
29 * | 29 * |
30 * //requires ses.mitigateSrcGotchas | 30 * //requires ses.mitigateSrcGotchas |
31 * //provides ses.ok, ses.okToLoad, ses.getMaxSeverity | 31 * //provides ses.ok, ses.okToLoad, ses.getMaxSeverity |
32 * //provides ses.is, ses.makeDelayedTamperProof | 32 * //provides ses.is, ses.makeDelayedTamperProof |
33 * //provides ses.makeCallerHarmless, ses.makeArgumentsHarmless | 33 * //provides ses.makeCallerHarmless, ses.makeArgumentsHarmless |
34 * //provides ses.noFuncPoison | 34 * //provides ses.noFuncPoison |
35 * //provides ses.verifyStrictFunctionBody | 35 * //provides ses.verifyStrictFunctionBody |
| 36 * //provides ses.getUndeniables, ses.earlyUndeniables |
| 37 * //provides ses.getAnonIntrinsics |
36 * | 38 * |
37 * @author Mark S. Miller | 39 * @author Mark S. Miller |
38 * @requires ___global_test_function___, ___global_valueOf_function___ | 40 * @requires ___global_test_function___, ___global_valueOf_function___ |
39 * @requires JSON, eval, this | 41 * @requires JSON, eval, this |
40 * @requires navigator, document, DOMException | 42 * @requires navigator, document, DOMException |
41 * @overrides ses, repairES5Module | 43 * @overrides ses, repairES5Module |
42 * @overrides RegExp, WeakMap, Object, parseInt | 44 * @overrides RegExp, WeakMap, Object, parseInt |
43 */ | 45 */ |
44 var RegExp; | 46 var RegExp; |
45 var ses; | 47 var ses; |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
193 * poison properties for simple safety, rather than trying to find | 195 * poison properties for simple safety, rather than trying to find |
194 * subtle corner cases by which they might lose safety. If any of | 196 * subtle corner cases by which they might lose safety. If any of |
195 * this fails, then we proceed under the assumption we're in the old | 197 * this fails, then we proceed under the assumption we're in the old |
196 * regime. | 198 * regime. |
197 * | 199 * |
198 * If noFuncPoison, then we're in the new regime made simply safe by | 200 * If noFuncPoison, then we're in the new regime made simply safe by |
199 * these deletions, and we do not treat the names 'caller' and | 201 * these deletions, and we do not treat the names 'caller' and |
200 * 'arguments' on functions as special. | 202 * 'arguments' on functions as special. |
201 */ | 203 */ |
202 var noFuncPoison = | 204 var noFuncPoison = |
203 Function.prototype.hasOwnProperty('caller') && | 205 Function.prototype.hasOwnProperty('caller') && |
204 Function.prototype.hasOwnProperty('arguments') && | 206 Function.prototype.hasOwnProperty('arguments') && |
205 !strictFnSpecimen.hasOwnProperty('caller') && | 207 !strictFnSpecimen.hasOwnProperty('caller') && |
206 !strictFnSpecimen.hasOwnProperty('arguments') && | 208 !strictFnSpecimen.hasOwnProperty('arguments') && |
207 !builtInMapMethod.hasOwnProperty('caller') && | 209 !builtInMapMethod.hasOwnProperty('caller') && |
208 !builtInMapMethod.hasOwnProperty('arguments') && | 210 !builtInMapMethod.hasOwnProperty('arguments') && |
209 delete Function.prototype.caller && | 211 delete Function.prototype.caller && |
210 delete Function.prototype.arguments && | 212 delete Function.prototype.arguments && |
211 !Function.prototype.hasOwnProperty('caller') && | 213 !Function.prototype.hasOwnProperty('caller') && |
212 !Function.prototype.hasOwnProperty('arguments'); | 214 !Function.prototype.hasOwnProperty('arguments'); |
213 ses.noFuncPoison = noFuncPoison; | 215 ses.noFuncPoison = noFuncPoison; |
214 | 216 |
215 | 217 |
216 /** | 218 /** |
217 * http://wiki.ecmascript.org/doku.php?id=harmony:egal | 219 * http://wiki.ecmascript.org/doku.php?id=harmony:egal |
218 */ | 220 */ |
219 var is = ses.is = Object.is || function(x, y) { | 221 var is = ses.is = Object.is || function(x, y) { |
220 if (x === y) { | 222 if (x === y) { |
221 // 0 === -0, but they are not identical | 223 // 0 === -0, but they are not identical |
222 return x !== 0 || 1 / x === 1 / y; | 224 return x !== 0 || 1 / x === 1 / y; |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
324 * initialization has done all the monkey patching that it is going | 326 * initialization has done all the monkey patching that it is going |
325 * to do on the Object.* methods, but before any untrusted code runs | 327 * to do on the Object.* methods, but before any untrusted code runs |
326 * in this context. | 328 * in this context. |
327 */ | 329 */ |
328 function makeTamperProof() { | 330 function makeTamperProof() { |
329 | 331 |
330 // Sample these after all trusted monkey patching initialization | 332 // Sample these after all trusted monkey patching initialization |
331 // but before any untrusted code runs in this frame. | 333 // but before any untrusted code runs in this frame. |
332 var gopd = Object.getOwnPropertyDescriptor; | 334 var gopd = Object.getOwnPropertyDescriptor; |
333 var gopn = Object.getOwnPropertyNames; | 335 var gopn = Object.getOwnPropertyNames; |
334 var getProtoOf = Object.getPrototypeOf; | |
335 var freeze = Object.freeze; | 336 var freeze = Object.freeze; |
336 var isFrozen = Object.isFrozen; | 337 var isFrozen = Object.isFrozen; |
337 var defProp = Object.defineProperty; | 338 var defProp = Object.defineProperty; |
338 var call = Function.prototype.call; | 339 var call = Function.prototype.call; |
339 | 340 |
340 function forEachNonPoisonOwn(obj, callback) { | 341 function forEachNonPoisonOwn(obj, callback) { |
341 var list = gopn(obj); | 342 var list = gopn(obj); |
342 var len = list.length; | 343 var len = list.length; |
343 var i, j, name; // crockford rule | 344 var i, j, name; // crockford rule |
344 if (typeof obj === 'function') { | 345 if (typeof obj === 'function') { |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
492 * ctor. methodName must be the name of a method on ctor.prototype | 493 * ctor. methodName must be the name of a method on ctor.prototype |
493 * that, when applied to an exotic object of this exotic type as | 494 * that, when applied to an exotic object of this exotic type as |
494 * this-value, with the provided args list, will return without | 495 * this-value, with the provided args list, will return without |
495 * error, but when applied to any other object as this-value will | 496 * error, but when applied to any other object as this-value will |
496 * throw an error. opt_example, if provided, must be an example of | 497 * throw an error. opt_example, if provided, must be an example of |
497 * such an exotic object that can be used for internal sanity | 498 * such an exotic object that can be used for internal sanity |
498 * checking before returning a brandTester. | 499 * checking before returning a brandTester. |
499 * | 500 * |
500 * <p>Uses Allen's trick from | 501 * <p>Uses Allen's trick from |
501 * https://esdiscuss.org/topic/tostringtag-spoofing-for-null-and-undefined#con
tent-59 | 502 * https://esdiscuss.org/topic/tostringtag-spoofing-for-null-and-undefined#con
tent-59 |
502 * for brand testing that will remain reliable in ES6. | 503 * for brand testing that will remain reliable in ES6. |
503 * However, testing reveals that, on FF 35.0.1, a proxy on an exotic | 504 * However, testing reveals that, on FF 35.0.1, a proxy on an exotic |
504 * object X will pass this brand test when X will. This is fixed as of | 505 * object X will pass this brand test when X will. This is fixed as of |
505 * FF Nightly 38.0a1. | 506 * FF Nightly 38.0a1. |
506 * | 507 * |
507 * <p>Returns a brandTester function such that, if brandTester(specimen) | 508 * <p>Returns a brandTester function such that, if brandTester(specimen) |
508 * returns true, this is a reliable indicator that specimen actually | 509 * returns true, this is a reliable indicator that specimen actually |
509 * is an exotic object of that type. | 510 * is an exotic object of that type. |
510 * | 511 * |
511 * <p>As a convenience, ctor may be undefined, in which | 512 * <p>As a convenience, ctor may be undefined, in which |
512 * case we assume that there are no exotic objects of that kind. In | 513 * case we assume that there are no exotic objects of that kind. In |
(...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
608 RegExp, 'exec', ['x'], /x/); | 609 RegExp, 'exec', ['x'], /x/); |
609 | 610 |
610 /** | 611 /** |
611 * A reliable brand test for whether specimen has a [[WeakMapData]] | 612 * A reliable brand test for whether specimen has a [[WeakMapData]] |
612 * internal slot. | 613 * internal slot. |
613 */ | 614 */ |
614 var isBuiltinWeakMap = makeBrandTester( | 615 var isBuiltinWeakMap = makeBrandTester( |
615 global.WeakMap, 'get', [{}], global.WeakMap ? new WeakMap() : void 0); | 616 global.WeakMap, 'get', [{}], global.WeakMap ? new WeakMap() : void 0); |
616 | 617 |
617 | 618 |
618 /////////////////////////////////////////// | 619 //////////////// Undeniables and Intrinsics ////////////// |
| 620 |
| 621 |
| 622 /** |
| 623 * A known strict function which returns its arguments object. |
| 624 */ |
| 625 function strictArguments() { return arguments; } |
| 626 |
| 627 /** |
| 628 * A known sloppy function which returns its arguments object. |
| 629 * |
| 630 * Defined using Function so it'll be sloppy (not strict and not |
| 631 * builtin). |
| 632 */ |
| 633 var sloppyArguments = Function('return arguments;'); |
| 634 |
| 635 /** |
| 636 * If present, a known strict generator function which yields its |
| 637 * arguments object. |
| 638 * |
| 639 * <p>TODO: once all supported browsers implement ES6 generators, we |
| 640 * can drop the "try"s below, drop the check for old Mozilla |
| 641 * generator syntax, and treat strictArgumentsGenerator as |
| 642 * unconditional in the test of the code. |
| 643 */ |
| 644 var strictArgumentsGenerator = void 0; |
| 645 try { |
| 646 // ES6 syntax |
| 647 strictArgumentsGenerator = |
| 648 eval('(function*() { "use strict"; yield arguments; })'); |
| 649 } catch (ex) { |
| 650 if (!(ex instanceof SyntaxError)) { throw ex; } |
| 651 try { |
| 652 // Old Firefox syntax |
| 653 strictArgumentsGenerator = |
| 654 eval('(function() { "use strict"; yield arguments; })'); |
| 655 } catch (ex2) { |
| 656 if (!(ex2 instanceof SyntaxError)) { throw ex2; } |
| 657 } |
| 658 } |
| 659 |
| 660 /** |
| 661 * The undeniables are the primordial objects which are ambiently |
| 662 * reachable via compositions of strict syntax, primitive wrapping |
| 663 * (new Object(x)), and prototype navigation (the equivalent of |
| 664 * Object.getPrototypeOf(x) or x.__proto__). Although we could in |
| 665 * theory monkey patch primitive wrapping or prototype navigation, |
| 666 * we won't. Hence, without parsing, the following are undeniable no |
| 667 * matter what <i>other</i> monkey patching we do to the primordial |
| 668 * environment. |
| 669 */ |
| 670 function getUndeniables() { |
| 671 var gopd = Object.getOwnPropertyDescriptor; |
| 672 var getProto = Object.getPrototypeOf; |
| 673 |
| 674 // The first element of each undeniableTuple is a string used to |
| 675 // name the undeniable object for reporting purposes. It has no |
| 676 // other programmatic use. |
| 677 // |
| 678 // The second element of each undeniableTuple should be the |
| 679 // undeniable itself. |
| 680 // |
| 681 // The optional third element of the undeniableTuple, if present, |
| 682 // should be an example of syntax, rather than use of a monkey |
| 683 // patchable API, evaluating to a value from which the undeniable |
| 684 // object in the second element can be reached by only the |
| 685 // following steps: |
| 686 // If the value is primitve, convert to an Object wrapper. |
| 687 // Is the resulting object either the undeniable object, or does |
| 688 // it inherit directly from the undeniable object? |
| 689 |
| 690 var undeniableTuples = [ |
| 691 ['Object.prototype', Object.prototype, {}], |
| 692 ['Function.prototype', Function.prototype, function(){}], |
| 693 ['Array.prototype', Array.prototype, []], |
| 694 ['RegExp.prototype', RegExp.prototype, /x/], |
| 695 ['Boolean.prototype', Boolean.prototype, true], |
| 696 ['Number.prototype', Number.prototype, 1], |
| 697 ['String.prototype', String.prototype, 'x'], |
| 698 ]; |
| 699 var result = {}; |
| 700 |
| 701 // Get the ES6 %Generator% intrinsic, if present. |
| 702 // It is undeniable because individual generator functions inherit |
| 703 // from it. |
| 704 (function() { |
| 705 // See http://people.mozilla.org/~jorendorff/figure-2.png |
| 706 // i.e., Figure 2 of section 25.2 "Generator Functions" of the |
| 707 // ES6 spec. |
| 708 // https://people.mozilla.org/~jorendorff/es6-draft.html#sec-generatorfunc
tion-objects |
| 709 if (!strictArgumentsGenerator) { return; } |
| 710 var Generator = getProto(strictArgumentsGenerator); |
| 711 undeniableTuples.push(['%Generator%', Generator, |
| 712 strictArgumentsGenerator]); |
| 713 strictArgumentsGenerator = strictArgumentsGenerator; |
| 714 }()); |
| 715 |
| 716 strictForEachFn(undeniableTuples, function(tuple) { |
| 717 var name = tuple[0]; |
| 718 var undeniable = tuple[1]; |
| 719 var start = tuple[2]; |
| 720 result[name] = undeniable; |
| 721 if (start === void 0) { return; } |
| 722 start = Object(start); |
| 723 if (undeniable === start) { return; } |
| 724 if (undeniable === getProto(start)) { return; } |
| 725 throw new Error('Unexpected undeniable: ' + undeniable); |
| 726 }); |
| 727 |
| 728 return result; |
| 729 } |
| 730 ses.getUndeniables = getUndeniables; |
| 731 |
| 732 // For consistency checking, once we've done all our whitelist |
| 733 // processing and monkey patching, we will call getUndeniables again |
| 734 // and check that the undeniables are the same. |
| 735 ses.earlyUndeniables = getUndeniables(); |
| 736 |
| 737 |
| 738 /** |
| 739 * Get the intrinsics not otherwise reachable by named own property |
| 740 * traversal. See |
| 741 * https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrin
sic-objects |
| 742 * and the instrinsics section of whitelist.js |
| 743 * |
| 744 * <p>Unlike getUndeniables(), the result of getAnonIntrinsics() |
| 745 * does depend on the current state of the primordials, so we must |
| 746 * run this again after all other relevant monkey patching is done, |
| 747 * in order to properly initialize cajaVM.intrinsics |
| 748 */ |
| 749 function getAnonIntrinsics() { |
| 750 var gopd = Object.getOwnPropertyDescriptor; |
| 751 var getProto = Object.getPrototypeOf; |
| 752 var result = {}; |
| 753 |
| 754 // If there are still other ThrowTypeError objects left after |
| 755 // noFuncPoison-ing, this should be caught by |
| 756 // test_THROWTYPEERROR_NOT_UNIQUE below, so we assume here that |
| 757 // this is the only surviving ThrowTypeError intrinsic. |
| 758 result.ThrowTypeError = gopd(arguments, 'caller').get; |
| 759 |
| 760 // Get the ES6 %ArrayIteratorPrototype%, %StringIteratorPrototype%, |
| 761 // and %IteratorPrototype% intrinsics, if present. |
| 762 |
| 763 // TODO %MapIteratorPrototype%, %SetIteratorPrototype% |
| 764 // It is currently safe to omit %MapIteratorPrototype% and |
| 765 // %SetIteratorPrototype% since we do not yet whitelist Map and |
| 766 // Set. |
| 767 (function() { |
| 768 var iteratorSym = global.Symbol && global.Symbol.iterator || |
| 769 "@@iterator"; // used instead of a symbol on FF35 |
| 770 if ([][iteratorSym]) { |
| 771 var arrayIter = [][iteratorSym](); |
| 772 var ArrayIteratorPrototype = getProto(arrayIter); |
| 773 result.ArrayIteratorPrototype = ArrayIteratorPrototype; |
| 774 var arrayIterProtoBase = getProto(ArrayIteratorPrototype); |
| 775 if (arrayIterProtoBase !== Object.prototype) { |
| 776 if (getProto(arrayIterProtoBase) !== Object.prototype) { |
| 777 throw new Error( |
| 778 '%IteratorPrototype%.__proto__ was not Object.prototype'); |
| 779 } |
| 780 result.IteratorPrototype = arrayIterProtoBase; |
| 781 } |
| 782 } |
| 783 if (''[iteratorSym]) { |
| 784 var stringIter = ''[iteratorSym](); |
| 785 var StringIteratorPrototype = getProto(stringIter); |
| 786 result.StringIteratorPrototype = StringIteratorPrototype; |
| 787 var stringIterProtoBase = getProto(StringIteratorPrototype); |
| 788 if (stringIterProtoBase !== Object.prototype) { |
| 789 if (!result.IteratorPrototype) { |
| 790 if (getProto(stringIterProtoBase) !== Object.prototype) { |
| 791 throw new Error( |
| 792 '%IteratorPrototype%.__proto__ was not Object.prototype'); |
| 793 } |
| 794 result.IteratorPrototype = stringIterProtoBase; |
| 795 } else { |
| 796 if (result.IteratorPrototype !== stringIterProtoBase) { |
| 797 throw new Error('unexpected %StringIteratorPrototype%.__proto__'); |
| 798 } |
| 799 } |
| 800 } |
| 801 } |
| 802 }()); |
| 803 |
| 804 // Get the ES6 %GeneratorFunction% intrinsic, if present. |
| 805 (function() { |
| 806 var Generator = ses.earlyUndeniables['%Generator%']; |
| 807 if (!Generator || Generator === Function.prototype) { return; } |
| 808 if (getProto(Generator) !== Function.prototype) { |
| 809 throw new Error('Generator.__proto__ was not Function.prototype'); |
| 810 } |
| 811 var GeneratorFunction = Generator.constructor; |
| 812 if (GeneratorFunction === Function) { return; } |
| 813 if (getProto(GeneratorFunction) !== Function) { |
| 814 throw new Error('GeneratorFunction.__proto__ was not Function'); |
| 815 } |
| 816 result.GeneratorFunction = GeneratorFunction; |
| 817 var genProtoBase = getProto(Generator.prototype); |
| 818 if (genProtoBase !== result.IteratorPrototype && |
| 819 genProtoBase !== Object.prototype) { |
| 820 throw new Error('Unexpected Generator.prototype.__proto__'); |
| 821 } |
| 822 }()); |
| 823 |
| 824 // Get the ES6 %TypedArray% intrinsic, if present. |
| 825 (function() { |
| 826 if (!global.Float32Array) { return; } |
| 827 var TypedArray = getProto(global.Float32Array); |
| 828 if (TypedArray === Function.prototype) { return; } |
| 829 if (getProto(TypedArray) !== Function.prototype) { |
| 830 // http://bespin.cz/~ondras/html/classv8_1_1ArrayBufferView.html |
| 831 // has me worried that someone might make such an intermediate |
| 832 // object visible. |
| 833 throw new Error('TypedArray.__proto__ was not Function.prototype'); |
| 834 } |
| 835 result.TypedArray = TypedArray; |
| 836 }()); |
| 837 |
| 838 for (var name in result) { |
| 839 if (result[name] === void 0) { |
| 840 throw new Error('Malformed intrinsic: ' + name); |
| 841 } |
| 842 } |
| 843 |
| 844 return result; |
| 845 } |
| 846 ses.getAnonIntrinsics = getAnonIntrinsics; |
| 847 |
| 848 var unsafeIntrinsics = getAnonIntrinsics(); |
| 849 |
| 850 |
| 851 ////////////////////////////////////////////////////////// |
619 | 852 |
620 /** | 853 /** |
621 * Fails if {@code funcBodySrc} does not parse as a strict | 854 * Fails if {@code funcBodySrc} does not parse as a strict |
622 * FunctionBody. | 855 * FunctionBody. |
623 * | 856 * |
624 * <p>ses.verifyStrictFunctionBody is exported from repairES5 | 857 * <p>ses.verifyStrictFunctionBody is exported from repairES5 |
625 * because the best way to perform this verification on a given | 858 * because the best way to perform this verification on a given |
626 * platform depends on whether the platform's Function constructor | 859 * platform depends on whether the platform's Function constructor |
627 * <a href= | 860 * <a href= |
628 * "https://code.google.com/p/google-caja/issues/detail?id=1616" | 861 * "https://code.google.com/p/google-caja/issues/detail?id=1616" |
(...skipping 2224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2853 if (desc === undefined) { return false; } | 3086 if (desc === undefined) { return false; } |
2854 if (desc.configurable) { return false; } | 3087 if (desc.configurable) { return false; } |
2855 if (desc.value === null && desc.configurable === false) { | 3088 if (desc.value === null && desc.configurable === false) { |
2856 // the problematic-for-us case, known to occur in Chrome 25.0.1364.172 | 3089 // the problematic-for-us case, known to occur in Chrome 25.0.1364.172 |
2857 return true; | 3090 return true; |
2858 } | 3091 } |
2859 return 'Unexpected __proto__ own property descriptor, enumerable: ' + | 3092 return 'Unexpected __proto__ own property descriptor, enumerable: ' + |
2860 desc.enumerable + ', value: ' + desc.value; | 3093 desc.enumerable + ', value: ' + desc.value; |
2861 } | 3094 } |
2862 | 3095 |
2863 function getThrowTypeError() { | |
2864 return Object.getOwnPropertyDescriptor(arguments, 'caller').get; | |
2865 } | |
2866 | |
2867 /** | 3096 /** |
2868 * A known strict function which returns its arguments object. | 3097 * %ThrowTypeError% is not unique (even after whatever cleanup was |
2869 */ | 3098 * already done during the noFuncPoison testing above). |
2870 function strictArguments() { return arguments; } | |
2871 | |
2872 /** | |
2873 * A known sloppy function which returns its arguments object. | |
2874 * | |
2875 * Defined using Function so it'll be sloppy (not strict and not | |
2876 * builtin). | |
2877 */ | |
2878 var sloppyArguments = Function('return arguments;'); | |
2879 | |
2880 /** | |
2881 * [[ThrowTypeError]] is not unique (even after whatever cleanup was | |
2882 * already done during the noPoison testing above). | |
2883 */ | 3099 */ |
2884 function test_THROWTYPEERROR_NOT_UNIQUE() { | 3100 function test_THROWTYPEERROR_NOT_UNIQUE() { |
2885 var tte = getThrowTypeError(); | 3101 var tte = unsafeIntrinsics.ThrowTypeError; |
2886 if (typeof tte !== 'function') { | 3102 if (typeof tte !== 'function') { |
2887 return 'Unexpected [[ThrowTypeError]]: ' + tte; | 3103 return 'Unexpected %ThrowTypeError%: ' + tte; |
2888 } | 3104 } |
2889 var others = []; | 3105 var others = []; |
2890 strictForEachFn([ | 3106 var sourcesOfTTE = [ |
2891 [Function.prototype, 'Function.prototype', ['caller', 'arguments']], | 3107 [Function.prototype, 'Function.prototype', ['caller', 'arguments']], |
2892 [builtInMapMethod, 'builtin function', ['caller', 'arguments']], | 3108 [builtInMapMethod, 'builtin function', ['caller', 'arguments']], |
2893 [strictArguments, 'strict function', ['caller', 'arguments']], | 3109 [strictArguments, 'strict function', ['caller', 'arguments']], |
2894 [sloppyArguments, 'sloppy function', ['caller', 'arguments']], | 3110 [sloppyArguments, 'sloppy function', ['caller', 'arguments']], |
2895 [strictArguments(), 'strict arguments', ['caller', 'callee']], | 3111 [strictArguments(), 'strict arguments', ['caller', 'callee']], |
2896 [sloppyArguments(), 'sloppy arguments', ['caller', 'callee']] | 3112 [sloppyArguments(), 'sloppy arguments', ['caller', 'callee']] |
2897 ], function(triple) { | 3113 ]; |
2898 var base = triple[0]; | 3114 if (strictArgumentsGenerator) { |
2899 var where = triple[1]; | 3115 var strictGeneratedArgs = strictArgumentsGenerator().next().value; |
2900 var names = triple[2]; | 3116 sourcesOfTTE.push( |
| 3117 [strictArgumentsGenerator, 'strict generator', ['caller', 'arguments']], |
| 3118 [strictGeneratedArgs, 'strict generated arguments', |
| 3119 ['caller', 'callee']]); |
| 3120 } |
| 3121 var Generator = ses.earlyUndeniables['%Generator%']; |
| 3122 if (Generator) { |
| 3123 sourcesOfTTE.push([Generator, '%Generator%', ['caller', 'arguments']]); |
| 3124 } |
| 3125 var GeneratorFunction = unsafeIntrinsics.GeneratorFunction; |
| 3126 if (GeneratorFunction) { |
| 3127 sourcesOfTTE.push([GeneratorFunction, '%GeneratorFunction%', |
| 3128 ['caller', 'arguments']]); |
| 3129 } |
| 3130 |
| 3131 strictForEachFn(sourcesOfTTE, function(sourceOfTTE) { |
| 3132 var base = sourceOfTTE[0]; |
| 3133 var where = sourceOfTTE[1]; |
| 3134 var names = sourceOfTTE[2]; |
2901 strictForEachFn(names, function(name) { | 3135 strictForEachFn(names, function(name) { |
2902 var desc = Object.getOwnPropertyDescriptor(base, name); | 3136 var desc = Object.getOwnPropertyDescriptor(base, name); |
2903 if (!desc) { return; } | 3137 if (!desc) { return; } |
2904 strictForEachFn(['get', 'set'], function (attr) { | 3138 strictForEachFn(['get', 'set'], function (attr) { |
2905 var otherTTE = desc[attr]; | 3139 var otherTTE = desc[attr]; |
2906 if (!otherTTE || otherTTE === tte) { return; } | 3140 if (!otherTTE || otherTTE === tte) { return; } |
2907 others.push(where + ' ' + attr + ' ' + name); | 3141 others.push(where + ' ' + attr + ' ' + name); |
2908 }); | 3142 }); |
2909 }); | 3143 }); |
2910 }); | 3144 }); |
2911 if (others.length === 0) { return false; } | 3145 if (others.length === 0) { return false; } |
2912 return 'Multiple [[ThrowTypeError]]s: ' + others.join(', '); | 3146 return 'Multiple %ThrowTypeError%s: ' + others.join(', '); |
2913 } | 3147 } |
2914 | 3148 |
2915 /** | 3149 /** |
2916 * [[ThrowTypeError]] is extensible or has modifiable properties. | 3150 * %ThrowTypeError% is extensible or has modifiable properties. |
2917 */ | 3151 */ |
2918 function test_THROWTYPEERROR_UNFROZEN() { | 3152 function test_THROWTYPEERROR_UNFROZEN() { |
2919 return !Object.isFrozen(getThrowTypeError()); | 3153 return !Object.isFrozen(unsafeIntrinsics.ThrowTypeError); |
2920 } | 3154 } |
2921 | 3155 |
2922 /** | 3156 /** |
2923 * [[ThrowTypeError]] has properties which the spec gives to other function | 3157 * %ThrowTypeError% has properties which the spec gives to other function |
2924 * objects but not [[ThrowTypeError]]. | 3158 * objects but not %ThrowTypeError%. |
2925 * | 3159 * |
2926 * We don't check for arbitrary properties because they might be extensions | 3160 * We don't check for arbitrary properties because they might be extensions |
2927 * for all function objects, which we don't particularly want to complain | 3161 * for all function objects, which we don't particularly want to complain |
2928 * about (and will delete via whitelisting). | 3162 * about (and will delete via whitelisting). |
2929 */ | 3163 */ |
2930 function test_THROWTYPEERROR_PROPERTIES() { | 3164 function test_THROWTYPEERROR_PROPERTIES() { |
2931 var tte = getThrowTypeError(); | 3165 var tte = unsafeIntrinsics.ThrowTypeError; |
2932 return !!Object.getOwnPropertyDescriptor(tte, 'prototype') || | 3166 return !!Object.getOwnPropertyDescriptor(tte, 'prototype') || |
2933 !!Object.getOwnPropertyDescriptor(tte, 'arguments') || | 3167 !!Object.getOwnPropertyDescriptor(tte, 'arguments') || |
2934 !!Object.getOwnPropertyDescriptor(tte, 'caller'); | 3168 !!Object.getOwnPropertyDescriptor(tte, 'caller'); |
2935 } | 3169 } |
2936 | 3170 |
2937 /** | 3171 /** |
2938 * See https://code.google.com/p/v8/issues/detail?id=2728 | 3172 * See https://code.google.com/p/v8/issues/detail?id=2728 |
2939 * and https://code.google.com/p/google-caja/issues/detail?id=1616 | 3173 * and https://code.google.com/p/google-caja/issues/detail?id=1616 |
2940 */ | 3174 */ |
2941 function test_SYNTAX_ERRORS_ARENT_ALWAYS_EARLY() { | 3175 function test_SYNTAX_ERRORS_ARENT_ALWAYS_EARLY() { |
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3180 } else { | 3414 } else { |
3181 return 'Unexpected prototype identity from setting a function\'s ' + | 3415 return 'Unexpected prototype identity from setting a function\'s ' + |
3182 'prototype with defineProperty.'; | 3416 'prototype with defineProperty.'; |
3183 } | 3417 } |
3184 } else { | 3418 } else { |
3185 return 'Unexpected result of setting a function\'s prototype ' + | 3419 return 'Unexpected result of setting a function\'s prototype ' + |
3186 'with defineProperty: ' + typeof bar.prototype; | 3420 'with defineProperty: ' + typeof bar.prototype; |
3187 } | 3421 } |
3188 } | 3422 } |
3189 | 3423 |
| 3424 /** |
| 3425 * In ES6, the constructor property of the %Generator% intrinsic |
| 3426 * initially points at the unsafe %GeneratorFunction% intrinsic. This |
| 3427 * property is supposed to have attributes |
| 3428 * { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true } |
| 3429 * Prior to 2/19/2015, on v8 it had attributes |
| 3430 * { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: false } |
| 3431 * making it impossible to change the property's value. |
| 3432 * |
| 3433 * <p>Since the original %GeneratorFunction% intrinsic, like the |
| 3434 * global Function constructor, accepts a function body which it |
| 3435 * executes in the global scope, it would be reachable by any |
| 3436 * generator. Without parsing, we would not be able to prevent |
| 3437 * the following expression |
| 3438 * <pre> |
| 3439 * (function*(){}).constructor('yield window;')().next().value |
| 3440 * </pre> |
| 3441 * from providing the genuine global window object of that realm. |
| 3442 */ |
| 3443 function test_GENERATORFUNCTION_CANNOT_BE_DENIED() { |
| 3444 var gopd = Object.getOwnPropertyDescriptor; |
| 3445 var getProto = Object.getPrototypeOf; |
| 3446 |
| 3447 var UnsafeGeneratorFunction = unsafeIntrinsics.GeneratorFunction; |
| 3448 if (!UnsafeGeneratorFunction) { return false; } |
| 3449 var Generator = ses.earlyUndeniables['%Generator%']; |
| 3450 if (!(Generator && |
| 3451 Generator.constructor === UnsafeGeneratorFunction && |
| 3452 UnsafeGeneratorFunction.prototype === Generator && |
| 3453 getProto(UnsafeGeneratorFunction) === UnsafeFunction && |
| 3454 getProto(Generator) === Function.prototype)) { |
| 3455 return 'Unexpected primordial Generator arrangement'; |
| 3456 } |
| 3457 var desc = gopd(Generator, 'constructor'); |
| 3458 return desc.writable === false && desc.configurable === false; |
| 3459 } |
| 3460 |
| 3461 /** |
| 3462 * ES6 introduces a new "import" special form syntax, which imports |
| 3463 * access to modules that we cannot currently control. Therefore, if |
| 3464 * we cannot prevent use of the "import" syntax, we lose |
| 3465 * isolation. Fortunately, the "import" syntax can only legally |
| 3466 * occur with modules, not within the text that the original eval, |
| 3467 * Function, or %GeneratorFunction% would accept. Since untrusted |
| 3468 * code enters a SES environment only through these, we should be |
| 3469 * safe. |
| 3470 * |
| 3471 * <p>This test checks that this assumption indeed holds for the |
| 3472 * current platform. |
| 3473 */ |
| 3474 function test_IMPORT_CAN_BE_EVALLED() { |
| 3475 // From Table 40 at |
| 3476 // https://people.mozilla.org/~jorendorff/es6-draft.html#sec-source-text-mod
ule-records |
| 3477 // The following test will actually attempt to eval the following |
| 3478 // strings, so it is important that there not be strings here that |
| 3479 // can do damage if this eval succeeds during SES |
| 3480 // initialization. This is before any untrusted code runs in this |
| 3481 // realm, so we assume that no module named __noModWithThisName__ |
| 3482 // is yet importable. |
| 3483 var importExamples = [ |
| 3484 'import v from "__noModWithThisName__";', |
| 3485 'import * as ns from "__noModWithThisName__";', |
| 3486 'import {x} from "__noModWithThisName__";', |
| 3487 'import {x as v} from "__noModWithThisName__";', |
| 3488 'import "__noModWithThisName__";']; |
| 3489 var evallers = [unsafeEval, UnsafeFunction]; |
| 3490 if (unsafeIntrinsics.GeneratorFunction) { |
| 3491 evallers.push(unsafeIntrinsics.GeneratorFunction); |
| 3492 } |
| 3493 for (var i = 0; i < importExamples.length; i++) { |
| 3494 for (var j = 0; j < evallers.length; j++) { |
| 3495 try { |
| 3496 evallers[j](importExamples[i]); |
| 3497 return true; |
| 3498 } catch (ex) { |
| 3499 if (!(ex instanceof SyntaxError)) { |
| 3500 return 'unexpected "' + importExamples[i] + '" failure: ' + ex; |
| 3501 } |
| 3502 } |
| 3503 } |
| 3504 } |
| 3505 return false; |
| 3506 } |
| 3507 |
| 3508 /** |
| 3509 * Detects https://bugs.webkit.org/show_bug.cgi?id=141865 |
| 3510 * |
| 3511 * <p>On Safari 7.0.5 (9537.77.4), the getter of the |
| 3512 * Object.prototype.__proto__ property, if applied to undefined, |
| 3513 * acts like a sloppy function would, coercing the undefined to the |
| 3514 * global object and returning the global object's [[Prototype]]. |
| 3515 */ |
| 3516 function test_UNDERBAR_PROTO_GETTER_USES_GLOBAL() { |
| 3517 var gopd = Object.getOwnPropertyDescriptor; |
| 3518 var getProto = Object.getPrototypeOf; |
| 3519 |
| 3520 var desc = gopd(Object.prototype, '__proto__'); |
| 3521 if (!desc) { return false; } |
| 3522 var getter = desc.get; |
| 3523 if (!getter) { return false; } |
| 3524 var globalProto = void 0; |
| 3525 try { |
| 3526 globalProto = getter(); |
| 3527 } catch (ex) { |
| 3528 if (ex instanceof TypeError && globalProto === void 0) { |
| 3529 return false; |
| 3530 } |
| 3531 return 'unexpected error: ' + ex; |
| 3532 } |
| 3533 if (getProto(global) === globalProto) { return true; } |
| 3534 return 'unexpected global.__proto__: ' + globalProto; |
| 3535 } |
| 3536 |
| 3537 /** |
| 3538 * Detects https://bugs.webkit.org/show_bug.cgi?id=141865 |
| 3539 * |
| 3540 * <p>On Safari 7.0.5 (9537.77.4), the setter of the |
| 3541 * Object.prototype.__proto__ property, if applied to undefined, |
| 3542 * acts like a sloppy function would, coercing the undefined to the |
| 3543 * global object and setting its [[Prototype]]. |
| 3544 */ |
| 3545 function test_UNDERBAR_PROTO_SETTER_USES_GLOBAL() { |
| 3546 var gopd = Object.getOwnPropertyDescriptor; |
| 3547 var getProto = Object.getPrototypeOf; |
| 3548 |
| 3549 var desc = gopd(Object.prototype, '__proto__'); |
| 3550 if (!desc) { return false; } |
| 3551 var setter = desc.set; |
| 3552 if (!setter) { return false; } |
| 3553 var globalProto = getProto(global); |
| 3554 // Just insert an intermediate object into the prototype chain of the |
| 3555 // global object, so this realm is left in a usable state. |
| 3556 var splicedProto = Object.create(globalProto); |
| 3557 try { |
| 3558 setter(splicedProto); |
| 3559 } catch (ex) { |
| 3560 if (ex instanceof TypeError && getProto(global) === globalProto) { |
| 3561 return false; |
| 3562 } |
| 3563 return 'unexpected error: ' + ex; |
| 3564 } |
| 3565 if (getProto(global) === splicedProto) { return true; } |
| 3566 return 'unexpected global.__proto__: ' + getProto(global); |
| 3567 } |
| 3568 |
| 3569 /** |
| 3570 * Detects https://bugs.webkit.org/show_bug.cgi?id=141878 |
| 3571 * |
| 3572 * <p>On Safari 7.0.5 (9537.77.4), throwing a frozen object results |
| 3573 * in it becoming unfrozen and several properties being added to |
| 3574 * it: 'line', 'column', 'sourceURL' (not always), and 'stack'. The |
| 3575 * big security hole is due to 'stack', which is added as a |
| 3576 * writable configurable property. Although initialized to a string, |
| 3577 * one can assign an arbitrary object to it, opening a capability |
| 3578 * leak. |
| 3579 */ |
| 3580 function test_THROWING_THAWS_FROZEN_OBJECT() { |
| 3581 var o = Object.freeze([1, 2]); |
| 3582 if (!Object.isFrozen(o)) { |
| 3583 return 'Unexpected spontaneous thaw'; |
| 3584 } |
| 3585 var oldNames = Object.getOwnPropertyNames(o); |
| 3586 try { |
| 3587 throw o; |
| 3588 } catch (e) { |
| 3589 if (e !== o) { |
| 3590 return 'What was thrown is not what was caught'; |
| 3591 } |
| 3592 if (Object.isFrozen(e)) { |
| 3593 // In the bug we're testing for, Object.isFrozen(e) is false, |
| 3594 // which is dealt with below this if-statement. |
| 3595 // If Object.isFrozen(e) is true, presumably this platform |
| 3596 // does not have the bug. Before concluding that we're safe |
| 3597 // from this bug (returning false) the rest of this case does |
| 3598 // a bit of sanity checking to make sure that other symptoms |
| 3599 // of this bug are absent. |
| 3600 var newNames = Object.getOwnPropertyNames(o); |
| 3601 if (oldNames.length !== newNames.length) { |
| 3602 return 'Throwing changed properties to: ' + newNames; |
| 3603 } |
| 3604 return false; |
| 3605 } |
| 3606 var oldStack = e.stack; |
| 3607 var capLeak = {}; |
| 3608 try { |
| 3609 e.stack = capLeak; |
| 3610 } catch (err) { |
| 3611 if (e.stack === oldStack) { |
| 3612 throw 'Unexpected failure to leak: ' + err; |
| 3613 } |
| 3614 } |
| 3615 if (e.stack === capLeak) { return true; } |
| 3616 } |
| 3617 return 'Unexpected result of throwing frozen object'; |
| 3618 } |
| 3619 |
| 3620 |
3190 ////////////////////// Repairs ///////////////////// | 3621 ////////////////////// Repairs ///////////////////// |
3191 // | 3622 // |
3192 // Each repair_NAME function exists primarily to repair the problem | 3623 // Each repair_NAME function exists primarily to repair the problem |
3193 // indicated by the corresponding test_NAME function. But other test | 3624 // indicated by the corresponding test_NAME function. But other test |
3194 // failures can still trigger a given repair. | 3625 // failures can still trigger a given repair. |
3195 | 3626 |
3196 | 3627 |
3197 var call = Function.prototype.call; | 3628 var call = Function.prototype.call; |
3198 var apply = Function.prototype.apply; | 3629 var apply = Function.prototype.apply; |
3199 | 3630 |
(...skipping 618 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3818 // conflicting with the caller-specified property names, without | 4249 // conflicting with the caller-specified property names, without |
3819 // needing to examine props twice. | 4250 // needing to examine props twice. |
3820 if (props !== undefined) { | 4251 if (props !== undefined) { |
3821 Object.defineProperties(o, props); | 4252 Object.defineProperties(o, props); |
3822 } | 4253 } |
3823 return o; | 4254 return o; |
3824 } | 4255 } |
3825 }); | 4256 }); |
3826 } | 4257 } |
3827 | 4258 |
| 4259 /** |
| 4260 * Repairs both getter and setter. If either are vulnerable, I don't |
| 4261 * care if the other seemed to pass the test. Better to make them |
| 4262 * both safe. |
| 4263 */ |
| 4264 function repair_UNDERBAR_PROTO_accessors_USE_GLOBAL() { |
| 4265 var gopd = Object.getOwnPropertyDescriptor; |
| 4266 |
| 4267 var oldDesc = gopd(Object.prototype, '__proto__'); |
| 4268 var oldGetter = oldDesc.get; |
| 4269 var oldSetter = oldDesc.set; |
| 4270 function newGetter() { |
| 4271 if (this === null || this === void 0) { |
| 4272 throw new TypeError('Cannot convert null or undefined to object'); |
| 4273 } else { |
| 4274 return oldGetter.call(this); |
| 4275 } |
| 4276 } |
| 4277 function newSetter(newProto) { |
| 4278 if (this === null || this === void 0) { |
| 4279 throw new TypeError('Cannot convert null or undefined to object'); |
| 4280 } else { |
| 4281 oldSetter.call(this, newProto); |
| 4282 } |
| 4283 } |
| 4284 Object.defineProperty(Object.prototype, '__proto__', { |
| 4285 get: oldGetter ? newGetter : void 0, |
| 4286 set: oldSetter ? newSetter : void 0 |
| 4287 }); |
| 4288 } |
| 4289 |
3828 ////////////////////// Generic tests/repairs ///////////////////// | 4290 ////////////////////// Generic tests/repairs ///////////////////// |
3829 // | 4291 // |
3830 // These are tests and repairs which follow a pattern, such that it is | 4292 // These are tests and repairs which follow a pattern, such that it is |
3831 // more practical to define them programmatically. | 4293 // more practical to define them programmatically. |
3832 | 4294 |
3833 function arrayPutProblem(destination, | 4295 function arrayPutProblem(destination, |
3834 prop, testArgs, i, expected, kind, opt_repair) { | 4296 prop, testArgs, i, expected, kind, opt_repair) { |
3835 var pos = ['first', 'last'][i]; | 4297 var pos = ['first', 'last'][i]; |
3836 var descs = { | 4298 var descs = { |
3837 readonly: {writable: false, configurable: false}, | 4299 readonly: {writable: false, configurable: false}, |
(...skipping 667 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4505 { | 4967 { |
4506 id: 'BOUND_FUNCTION_LEAKS_ARGUMENTS', | 4968 id: 'BOUND_FUNCTION_LEAKS_ARGUMENTS', |
4507 description: 'Bound functions leak "arguments"', | 4969 description: 'Bound functions leak "arguments"', |
4508 test: test_BOUND_FUNCTION_LEAKS_ARGUMENTS, | 4970 test: test_BOUND_FUNCTION_LEAKS_ARGUMENTS, |
4509 repair: void 0, | 4971 repair: void 0, |
4510 preSeverity: severities.NOT_OCAP_SAFE, | 4972 preSeverity: severities.NOT_OCAP_SAFE, |
4511 canRepair: false, // Long-dead bug, not worth keeping old repair around | 4973 canRepair: false, // Long-dead bug, not worth keeping old repair around |
4512 urls: ['https://code.google.com/p/v8/issues/detail?id=893', | 4974 urls: ['https://code.google.com/p/v8/issues/detail?id=893', |
4513 'https://bugs.webkit.org/show_bug.cgi?id=63398'], | 4975 'https://bugs.webkit.org/show_bug.cgi?id=63398'], |
4514 sections: ['15.3.4.5'], | 4976 sections: ['15.3.4.5'], |
4515 tests: ['test/language/statements/function/S13.2.3_A1.js', | 4977 tests: ['test/language/statements/function/S13.2.3_A1.js', |
4516 'test/built-ins/Function/prototype/bind/S15.3.4.5_A2.js'] | 4978 'test/built-ins/Function/prototype/bind/S15.3.4.5_A2.js'] |
4517 }, | 4979 }, |
4518 { | 4980 { |
4519 id: 'DELETED_BUILTINS_IN_OWN_NAMES', | 4981 id: 'DELETED_BUILTINS_IN_OWN_NAMES', |
4520 description: 'Deleting built-in leaves phantom behind', | 4982 description: 'Deleting built-in leaves phantom behind', |
4521 test: test_DELETED_BUILTINS_IN_OWN_NAMES, | 4983 test: test_DELETED_BUILTINS_IN_OWN_NAMES, |
4522 repair: void 0, | 4984 repair: void 0, |
4523 preSeverity: severities.SAFE_SPEC_VIOLATION, | 4985 preSeverity: severities.SAFE_SPEC_VIOLATION, |
4524 canRepair: false, // Long-dead bug, not worth keeping old repair around | 4986 canRepair: false, // Long-dead bug, not worth keeping old repair around |
4525 urls: ['https://bugs.webkit.org/show_bug.cgi?id=70207'], | 4987 urls: ['https://bugs.webkit.org/show_bug.cgi?id=70207'], |
(...skipping 362 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4888 test: test_FREEZING_BREAKS_WEAKMAP, | 5350 test: test_FREEZING_BREAKS_WEAKMAP, |
4889 repair: repair_FREEZING_BREAKS_WEAKMAP, | 5351 repair: repair_FREEZING_BREAKS_WEAKMAP, |
4890 preSeverity: severities.UNSAFE_SPEC_VIOLATION, | 5352 preSeverity: severities.UNSAFE_SPEC_VIOLATION, |
4891 canRepair: true, | 5353 canRepair: true, |
4892 urls: ['https://code.google.com/p/v8/issues/detail?id=2829'], | 5354 urls: ['https://code.google.com/p/v8/issues/detail?id=2829'], |
4893 sections: [], // TODO(kpreid): cite when ES6 is final | 5355 sections: [], // TODO(kpreid): cite when ES6 is final |
4894 tests: [] // TODO(kpreid): cite when ES6 is final | 5356 tests: [] // TODO(kpreid): cite when ES6 is final |
4895 }, | 5357 }, |
4896 { | 5358 { |
4897 id: 'THROWTYPEERROR_NOT_UNIQUE', | 5359 id: 'THROWTYPEERROR_NOT_UNIQUE', |
4898 description: '[[ThrowTypeError]] is not unique', | 5360 description: '%ThrowTypeError% is not unique', |
4899 test: test_THROWTYPEERROR_NOT_UNIQUE, | 5361 test: test_THROWTYPEERROR_NOT_UNIQUE, |
4900 repair: void 0, | 5362 repair: void 0, |
4901 preSeverity: severities.UNSAFE_SPEC_VIOLATION, | 5363 preSeverity: severities.UNSAFE_SPEC_VIOLATION, |
4902 canRepair: false, | 5364 canRepair: false, |
4903 urls: [], | 5365 urls: [], |
4904 sections: [], | 5366 sections: [], |
4905 tests: [] | 5367 tests: [] |
4906 }, | 5368 }, |
4907 { | 5369 { |
4908 id: 'THROWTYPEERROR_UNFROZEN', | 5370 id: 'THROWTYPEERROR_UNFROZEN', |
4909 description: '[[ThrowTypeError]] is not frozen', | 5371 description: '%ThrowTypeError% is not frozen', |
4910 test: test_THROWTYPEERROR_UNFROZEN, | 5372 test: test_THROWTYPEERROR_UNFROZEN, |
4911 repair: void 0, | 5373 repair: void 0, |
4912 preSeverity: severities.SAFE_SPEC_VIOLATION, // Note: Safe only because | 5374 preSeverity: severities.SAFE_SPEC_VIOLATION, // Note: Safe only because |
4913 // startSES will do whitelist and defense; per spec intent it's an | 5375 // startSES will do whitelist and defense; per spec intent it's an |
4914 // undesired communication channel. | 5376 // undesired communication channel. |
4915 canRepair: false, // will be repaired by whitelist | 5377 canRepair: false, // will be repaired by whitelist |
4916 urls: ['https://bugs.webkit.org/show_bug.cgi?id=108873'], | 5378 urls: ['https://bugs.webkit.org/show_bug.cgi?id=108873'], |
4917 // TODO(kpreid): find or file Firefox bug (writable props) | 5379 // TODO(kpreid): find or file Firefox bug (writable props) |
4918 // TODO(kpreid): find or file Chrome bug (has a .prototype) | 5380 // TODO(kpreid): find or file Chrome bug (has a .prototype) |
4919 sections: ['13.2.3'], | 5381 sections: ['13.2.3'], |
4920 tests: [] // TODO(jasvir): Add to test262 | 5382 tests: [] // TODO(jasvir): Add to test262 |
4921 }, | 5383 }, |
4922 { | 5384 { |
4923 id: 'THROWTYPEERROR_PROPERTIES', | 5385 id: 'THROWTYPEERROR_PROPERTIES', |
4924 description: '[[ThrowTypeError]] has normal function properties', | 5386 description: '%ThrowTypeError% has normal function properties', |
4925 test: test_THROWTYPEERROR_PROPERTIES, | 5387 test: test_THROWTYPEERROR_PROPERTIES, |
4926 repair: void 0, | 5388 repair: void 0, |
4927 preSeverity: severities.SAFE_SPEC_VIOLATION, | 5389 preSeverity: severities.SAFE_SPEC_VIOLATION, |
4928 canRepair: false, // will be repaired by whitelist | 5390 canRepair: false, // will be repaired by whitelist |
4929 urls: [], | 5391 urls: [], |
4930 // WebKit is OK | 5392 // WebKit is OK |
4931 // TODO(kpreid): find or file Firefox bug (has writable props) | 5393 // TODO(kpreid): find or file Firefox bug (has writable props) |
4932 // TODO(kpreid): find or file Chrome bug (has a .prototype!) | 5394 // TODO(kpreid): find or file Chrome bug (has a .prototype!) |
4933 sections: ['13.2.3'], | 5395 sections: ['13.2.3'], |
4934 tests: [] // TODO(jasvir): Add to test262 | 5396 tests: [] // TODO(jasvir): Add to test262 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5002 id: 'NUMERIC_PROPERTIES_INVISIBLE', | 5464 id: 'NUMERIC_PROPERTIES_INVISIBLE', |
5003 description: 'Numeric properties not reflectable on create()d objects', | 5465 description: 'Numeric properties not reflectable on create()d objects', |
5004 test: test_NUMERIC_PROPERTIES_INVISIBLE, | 5466 test: test_NUMERIC_PROPERTIES_INVISIBLE, |
5005 repair: repair_NUMERIC_PROPERTIES_INVISIBLE, | 5467 repair: repair_NUMERIC_PROPERTIES_INVISIBLE, |
5006 preSeverity: severities.UNSAFE_SPEC_VIOLATION, | 5468 preSeverity: severities.UNSAFE_SPEC_VIOLATION, |
5007 canRepair: true, | 5469 canRepair: true, |
5008 urls: ['http://webreflection.blogspot.co.uk/2014/04/all-ie-objects-are-bro
ken.html'], | 5470 urls: ['http://webreflection.blogspot.co.uk/2014/04/all-ie-objects-are-bro
ken.html'], |
5009 // TODO(kpreid): link Microsoft info page when available | 5471 // TODO(kpreid): link Microsoft info page when available |
5010 sections: ['8.12.6'], | 5472 sections: ['8.12.6'], |
5011 tests: [] // TODO(kpreid): contribute tests | 5473 tests: [] // TODO(kpreid): contribute tests |
| 5474 }, |
| 5475 { |
| 5476 id: 'GENERATORFUNCTION_CANNOT_BE_DENIED', |
| 5477 description: 'Cannot deny access to unsafe %GeneratorFunction%', |
| 5478 test: test_GENERATORFUNCTION_CANNOT_BE_DENIED, |
| 5479 repair: void 0, |
| 5480 preSeverity: severities.NOT_ISOLATED, |
| 5481 canRepair: false, |
| 5482 urls: ['https://code.google.com/p/google-caja/issues/detail?id=1953', |
| 5483 'https://code.google.com/p/v8/issues/detail?id=3902', |
| 5484 'https://code.google.com/p/chromium/issues/detail?id=460145', |
| 5485 'https://people.mozilla.org/~jorendorff/es6-draft.html#sec-generato
rfunction.prototype.constructor'], |
| 5486 sections: [], |
| 5487 tests: [] |
| 5488 }, |
| 5489 { |
| 5490 id: 'IMPORT_CAN_BE_EVALLED', |
| 5491 description: 'Import statement evaluates outside module source text', |
| 5492 test: test_IMPORT_CAN_BE_EVALLED, |
| 5493 repair: void 0, |
| 5494 preSeverity: severities.NOT_ISOLATED, |
| 5495 canRepair: false, |
| 5496 urls: [], |
| 5497 sections: [], |
| 5498 tests: [] |
| 5499 }, |
| 5500 { |
| 5501 id: 'UNDERBAR_PROTO_GETTER_USES_GLOBAL', |
| 5502 description: 'The getter of __proto__ coerces "this" to global', |
| 5503 test: test_UNDERBAR_PROTO_GETTER_USES_GLOBAL, |
| 5504 repair: repair_UNDERBAR_PROTO_accessors_USE_GLOBAL, |
| 5505 preSeverity: severities.NOT_ISOLATED, |
| 5506 canRepair: true, |
| 5507 urls: ['https://bugs.webkit.org/show_bug.cgi?id=141865'], |
| 5508 sections: [], |
| 5509 tests: [] |
| 5510 }, |
| 5511 { |
| 5512 id: 'UNDERBAR_PROTO_SETTER_USES_GLOBAL', |
| 5513 description: 'The setter of __proto__ coerces "this" to global', |
| 5514 test: test_UNDERBAR_PROTO_SETTER_USES_GLOBAL, |
| 5515 repair: repair_UNDERBAR_PROTO_accessors_USE_GLOBAL, |
| 5516 preSeverity: severities.NOT_ISOLATED, |
| 5517 canRepair: true, |
| 5518 urls: ['https://bugs.webkit.org/show_bug.cgi?id=141865'], |
| 5519 sections: [], |
| 5520 tests: [] |
| 5521 }, |
| 5522 { |
| 5523 id: 'THROWING_THAWS_FROZEN_OBJECT', |
| 5524 description: 'Throwing a frozen object opens a capability leak', |
| 5525 test: test_THROWING_THAWS_FROZEN_OBJECT, |
| 5526 repair: void 0, |
| 5527 preSeverity: severities.NOT_ISOLATED, |
| 5528 canRepair: false, |
| 5529 urls: ['https://bugs.webkit.org/show_bug.cgi?id=141871', |
| 5530 'https://bugs.webkit.org/show_bug.cgi?id=141878'], |
| 5531 sections: [], |
| 5532 tests: [] |
5012 } | 5533 } |
5013 ]; | 5534 ]; |
5014 | 5535 |
5015 // SPLICE_PUT_IGNORES_FIRST_READONLY | 5536 // SPLICE_PUT_IGNORES_FIRST_READONLY |
5016 // SPLICE_PUT_DOESNT_THROW_FIRST_READONLY | 5537 // SPLICE_PUT_DOESNT_THROW_FIRST_READONLY |
5017 // SPLICE_PUT_IGNORES_FIRST_NON_WRITABLE | 5538 // SPLICE_PUT_IGNORES_FIRST_NON_WRITABLE |
5018 // SPLICE_PUT_DOESNT_THROW_FIRST_NON_WRITABLE | 5539 // SPLICE_PUT_DOESNT_THROW_FIRST_NON_WRITABLE |
5019 // SPLICE_PUT_IGNORES_LAST_READONLY | 5540 // SPLICE_PUT_IGNORES_LAST_READONLY |
5020 // SPLICE_PUT_DOESNT_THROW_LAST_READONLY | 5541 // SPLICE_PUT_DOESNT_THROW_LAST_READONLY |
5021 arrayPutProblem(supportedProblems, | 5542 arrayPutProblem(supportedProblems, |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5157 ses.es5ProblemReports = indexedReports; | 5678 ses.es5ProblemReports = indexedReports; |
5158 } catch (err) { | 5679 } catch (err) { |
5159 ses._repairer.updateMaxSeverity(ses.severities.NOT_SUPPORTED); | 5680 ses._repairer.updateMaxSeverity(ses.severities.NOT_SUPPORTED); |
5160 var during = ses._repairer.wasDoing(); | 5681 var during = ses._repairer.wasDoing(); |
5161 logger.error('ES5 Repair ' + during + 'failed with: ', err); | 5682 logger.error('ES5 Repair ' + during + 'failed with: ', err); |
5162 } | 5683 } |
5163 | 5684 |
5164 logger.reportMax(); | 5685 logger.reportMax(); |
5165 | 5686 |
5166 })(this); | 5687 })(this); |
OLD | NEW |