Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(935)

Unified Diff: src/com/google/caja/ses/whitelist.js

Issue 202030043: Protect against hidden intrinsics (Closed) Base URL: http://google-caja.googlecode.com/svn/trunk/
Patch Set: Protect against hidden intrinsics Created 9 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/com/google/caja/ses/startSES.js ('k') | tests/com/google/caja/plugin/test-scan-core.js » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/com/google/caja/ses/whitelist.js
===================================================================
--- src/com/google/caja/ses/whitelist.js (revision 5709)
+++ src/com/google/caja/ses/whitelist.js (working copy)
@@ -67,9 +67,15 @@
* of these is tamed as if with true, so that the value of the
* property is further tamed according to what other objects it
* inherits from.
+ * <li>false, which suppression permission inherited via "*".
* </ul>
*
- * The members of the whitelist are either
+ * <p>TODO: We want to do for constructor: something weaker than '*',
+ * but rather more like what we do for [[Prototype]] links, which is
+ * that it is whitelisted only if it points as an object which is
+ * otherwise reachable by a whitelisted path.
+ *
+ * <p>The members of the whitelist are either
* <ul>
* <li>(uncommented) defined by the ES5.1 normative standard text,
* <li>(questionable) provides a source of non-determinism, in
@@ -105,9 +111,46 @@
var TypedArrayWhitelist; // defined and used below
ses.whitelist = {
cajaVM: { // Caja support
- // This object is present here only to make it itself processed by the
- // whitelist, not to make it accessible by this path.
- '[[ThrowTypeError]]': t,
+ // The accessible intrinsics which are not reachable by own
+ // property name traversal are listed here so that they are
+ // processed by the whitelist, although this also makes them
+ // accessible by this path. See
+ // https://people.mozilla.org/~jorendorff/es6-draft.html#sec-well-known-intrinsic-objects
+ // Of these, ThrowTypeError is the only one from ES5. All the
+ // rest were introduced in ES6.
+ anonIntrinsics: {
+ ThrowTypeError: {},
+ IteratorPrototype: {
+ constructor: false // suppress inherited '*'
+ },
+ ArrayIteratorPrototype: {},
+ StringIteratorPrototype: {},
+ // TODO MapIteratorPrototype: {},
+ // TODO SetIteratorPrototype: {},
+ GeneratorFunction: {
+ prototype: {
+ prototype: {
+ next: t,
+ 'return': t,
+ 'throw': t
+ }
+ }
+ },
+ TypedArray: TypedArrayWhitelist = {
+ length: '*', // does not inherit from Function.prototype on Chrome
+ name: '*', // ditto
+ BYTES_PER_ELEMENT: '*',
+ prototype: {
+ buffer: 'maybeAccessor',
+ byteOffset: 'maybeAccessor',
+ byteLength: 'maybeAccessor',
+ length: 'maybeAccessor',
+ BYTES_PER_ELEMENT: '*',
+ set: '*',
+ subarray: '*'
+ }
+ }
+ },
log: t,
tamperProof: t,
@@ -451,6 +494,10 @@
parse: t,
stringify: t
},
+
+
+ ///////////////// Standard Starting in ES6 //////////////////
+
ArrayBuffer: { // Khronos Typed Arrays spec; ops are safe
length: t, // does not inherit from Function.prototype on Chrome
name: t, // ditto
@@ -460,20 +507,7 @@
slice: t
}
},
- Int8Array: TypedArrayWhitelist = { // Typed Arrays spec
- length: t, // does not inherit from Function.prototype on Chrome
- name: t, // ditto
- BYTES_PER_ELEMENT: t,
- prototype: {
- buffer: 'maybeAccessor',
- byteOffset: 'maybeAccessor',
- byteLength: 'maybeAccessor',
- length: 'maybeAccessor',
- BYTES_PER_ELEMENT: t,
- set: t,
- subarray: t
- }
- },
+ Int8Array: TypedArrayWhitelist,
Uint8Array: TypedArrayWhitelist,
Uint8ClampedArray: TypedArrayWhitelist,
Int16Array: TypedArrayWhitelist,
« no previous file with comments | « src/com/google/caja/ses/startSES.js ('k') | tests/com/google/caja/plugin/test-scan-core.js » ('j') | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b