Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(1227)

Unified Diff: tests/com/google/caja/plugin/test-scan-guest.js

Issue 202030043: Protect against hidden intrinsics (Closed) Base URL: http://google-caja.googlecode.com/svn/trunk/
Patch Set: Protect against hidden intrinsics Created 9 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « tests/com/google/caja/plugin/test-scan-core.js ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: tests/com/google/caja/plugin/test-scan-guest.js
===================================================================
--- tests/com/google/caja/plugin/test-scan-guest.js (revision 5709)
+++ tests/com/google/caja/plugin/test-scan-guest.js (working copy)
@@ -378,7 +378,7 @@
var genFreshElement = G.apply(function() {
return document.createElement('fresh-element');
});
-
+
var ArrayLike = cajaVM.makeArrayLike(largestSmallInteger);
function isArrayLikeCtor(o) {
@@ -538,6 +538,7 @@
functionArgs.set(RefAnyFrame('Function'), G.none);
// TODO deal with function return val
+
argsByAnyFrame('Function.prototype', genAllCall());
argsByIdentity(dummyFunction, genCall());
argsByAnyFrame('Function.prototype.apply', genMethod(genObject, genArray));
@@ -552,10 +553,54 @@
argsByAnyFrame('Function.prototype.toString',
// TODO test invocation on Function.prototype itself
G.tuple(G.value(THIS), G.tuple()));
-
- argsByIdentity(cajaVM['[[ThrowTypeError]]'], genAllCall());
- expectedAlwaysThrow.setByIdentity(cajaVM['[[ThrowTypeError]]'], true);
-
+
+ // ES6 Generators
+ if (cajaVM.anonIntrinsics.GeneratorFunction) {
+ functionArgs.set(RefAnyFrame('cajaVM.anonIntrinsics.GeneratorFunction'),
+ genAllCall);
+ expectedAlwaysThrow.set(
+ RefAnyFrame('cajaVM.anonIntrinsics.GeneratorFunction'),
+ true); // SES disables constructor
+ functionArgs.set(
+ RefAnyFrame('cajaVM.anonIntrinsics.GeneratorFunction.prototype'),
+ genAllCall);
+ expectedAlwaysThrow.set(
+ RefAnyFrame('cajaVM.anonIntrinsics.GeneratorFunction.prototype'),
+ true); // the prototype of function*s is not callable
+
+ // Using evalInTamingFrame because SES mitigated eval will reject
+ // generator syntax when it parses. TODO(kpreid): use cajaVM.eval once we
+ // fully support generators.
+ var aGeneratorFunction = directAccess.evalInGuestFrame(
+ '(function*() { "use strict"; ' +
+ 'while (true) { try { yield 1; } catch (e) {} } })');
+ var aGenerator = aGeneratorFunction();
+ aGenerator.next(); // so .throw() will be caught
+ obtainInstance.define(cajaVM.anonIntrinsics.GeneratorFunction,
+ aGeneratorFunction);
+ obtainInstance.define(cajaVM.anonIntrinsics.GeneratorFunction.prototype,
+ aGenerator);
+
+ var generatorIteratorPrototype =
+ cajaVM.anonIntrinsics.GeneratorFunction.prototype.prototype;
+
+ // TODO(kpreid): Would be nice to be able to say "these methods on any
+ // subtype of Iterator".
+ functionArgs.set(
+ Ref.all(
+ Ref.is(generatorIteratorPrototype.next),
+ Ref.is(generatorIteratorPrototype['return']),
+ Ref.is(generatorIteratorPrototype['throw'])),
+ // fresh because it returns { value: ..., done: ... }
+ freshResult(G.any(
+ genMethod(G.value('foo')), genMethod())));
+ }
+
+ argsByIdentity(cajaVM.anonIntrinsics.ThrowTypeError, genAllCall());
+ expectedAlwaysThrow.setByIdentity(
+ cajaVM.anonIntrinsics.ThrowTypeError, true);
+ // TODO test other intrinsics like %TypedArray%
+
argsByIdentity(Number, genAllCall(genSmallInteger));
argsByAnyFrame('Number.prototype.toExponential',
genMethod(genSmallInteger));
@@ -608,7 +653,7 @@
argsByAnyFrame('String', genAllCall(genString));
argsByAnyFrame('String.fromCharCode', genMethod(genSmallInteger));
- ['big', 'blink', 'bold', 'fixed', 'italics', 'small', 'strong', 'strike',
+ ['big', 'blink', 'bold', 'fixed', 'italics', 'small', 'strike',
'sub', 'sup'].forEach(function(name) {
argsByAnyFrame('String.prototype.' + name, genNoArgMethod);
});
@@ -1333,6 +1378,10 @@
setupTypedArray('Float32Array', false);
setupTypedArray('Float64Array', true);
+ obtainInstance.define(cajaVM.anonIntrinsics.TypedArray, new Int8Array(3));
+ argsByIdentity(cajaVM.anonIntrinsics.TypedArray, genAllCall());
+ expectedAlwaysThrow.setByIdentity(cajaVM.anonIntrinsics.TypedArray, true);
+
argsByAnyFrame('DataView', genNew(
genInstance(ArrayBuffer), genSmallInteger, genSmallInteger));
obtainInstance.define(DataView, new DataView(new ArrayBuffer(8)));
« no previous file with comments | « tests/com/google/caja/plugin/test-scan-core.js ('k') | no next file » | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b