Issue 6843096: Fix breach due to exposed taming constructors exposing arbitrary property access.

Issue 6843096: Fix breach due to exposed taming constructors exposing arbitrary property access. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
12 years, 9 months ago by kpreid2

Modified:
12 years, 7 months ago

Reviewers:
ihab.awad, metaweta

CC:
caja-discuss-undisclosed_googlegroups.com, MarkM, felix8a, Jasvir, kpreid2, metaweta, MikeSamuel, ihab.awad

Base URL:
http://google-caja.googlecode.com/svn/trunk/

Visibility:
Public.

Description

Several taming constructors (function TameFoo(feralFoo) {...}) in Domado were not protected via inertCtor (which replaces .prototype.constructor with a useless function), which resulted in guest code being able to invoke them. Some of the taming constructors called makeDOMAccessible on an argument, leading to guest code being able to cause that; thus allowing ES5/3 guest code to read or write nonwhitelisted properties on objects the guest has access to. Together, this allowed a complete breach, permitting arbitrary manipulation of the host page. * All taming constructors now use inertCtor properly. * There is now a test which checks for this problem broadly. * makeDOMAccessible now refuses to operate on objects which are already ES5/3 objects (have a v___ property). Added a test for this. Guest code still should not be allowed to obtain makeDOMAccessible, but this should make it less hazardous if that does occur. * Fixed lack of comment in jsUnit error messages for assertRoughlyEquals and assertContains. The Firefox quirk referred to in the previous comments of makeDOMAccessible appears to no longer be an issue (FF 16.0.2).

Patch Set 1 #

Patch Set 2 : Fix breach due to exposed taming constructors exposing arbitrary property access. #

Total comments: 9

Patch Set 3 : Fix breach due to exposed taming constructors exposing arbitrary property access. #

Patch Set 4 : Fix breach due to exposed taming constructors exposing arbitrary property access. #

Total comments: 1

Created: 12 years, 9 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+254 lines, -101 lines)			Patch
M	src/com/google/caja/plugin/caja.js	View	1 2 3	1 chunk	+4 lines, -0 lines	0 comments	Download
M	src/com/google/caja/plugin/domado.js	View	1 2 3	3 chunks	+7 lines, -11 lines	0 comments	Download
M	src/com/google/caja/plugin/es53-frame-group.js	View	1 2 3	4 chunks	+21 lines, -10 lines	0 comments	Download
M	tests/com/google/caja/plugin/es53-test-domado-dom-guest.html	View	1 2 3	3 chunks	+177 lines, -73 lines	1 comment	Download
M	tests/com/google/caja/plugin/es53-test-domado-special.js	View	1 2 3	1 chunk	+5 lines, -0 lines	0 comments	Download
M	tests/com/google/caja/plugin/es53-test-domado-special-guest.html	View	1 2 3	1 chunk	+34 lines, -0 lines	0 comments	Download
M	third_party/js/jsunit/2.2/jsUnitCore.js	View	1 2 3	2 chunks	+6 lines, -7 lines	0 comments	Download

Messages

Total messages: 8

Expand All Messages | Collapse All Messages

metaweta

LGTM https://codereview.appspot.com/6843096/diff/3001/tests/com/google/caja/plugin/es53-test-domado-dom-guest.html File tests/com/google/caja/plugin/es53-test-domado-dom-guest.html (right): https://codereview.appspot.com/6843096/diff/3001/tests/com/google/caja/plugin/es53-test-domado-dom-guest.html#newcode2018 tests/com/google/caja/plugin/es53-test-domado-dom-guest.html:2018: constructorCallable: extras.constructorCallable || false maybe !!extras.constructorCallable https://codereview.appspot.com/6843096/diff/3001/tests/com/google/caja/plugin/es53-test-domado-dom-guest.html#newcode2074 tests/com/google/caja/plugin/es53-test-domado-dom-guest.html:2074: ...

12 years, 9 months ago (2012-11-21 00:49:17 UTC) #2

ihab.awad

https://codereview.appspot.com/6843096/diff/3001/tests/com/google/caja/plugin/es53-test-domado-dom-guest.html File tests/com/google/caja/plugin/es53-test-domado-dom-guest.html (right): https://codereview.appspot.com/6843096/diff/3001/tests/com/google/caja/plugin/es53-test-domado-dom-guest.html#newcode2008 tests/com/google/caja/plugin/es53-test-domado-dom-guest.html:2008: [[], new Option()], Fwiw: The above is really hard ...

12 years, 9 months ago (2012-11-21 01:02:04 UTC) #3

kpreid2

New snapshot. https://codereview.appspot.com/6843096/diff/3001/tests/com/google/caja/plugin/es53-test-domado-dom-guest.html File tests/com/google/caja/plugin/es53-test-domado-dom-guest.html (right): https://codereview.appspot.com/6843096/diff/3001/tests/com/google/caja/plugin/es53-test-domado-dom-guest.html#newcode2018 tests/com/google/caja/plugin/es53-test-domado-dom-guest.html:2018: constructorCallable: extras.constructorCallable || false On 2012/11/21 00:49:17, ...

12 years, 9 months ago (2012-11-21 01:03:14 UTC) #4

kpreid2

12 years, 9 months ago (2012-11-21 01:10:08 UTC) #5

kpreid2

Several taming constructors (function TameFoo(feralFoo) {...}) in Domado were not protected via inertCtor (which replaces ...

12 years, 9 months ago (2012-12-03 20:39:46 UTC) #6

kpreid2

12 years, 9 months ago (2012-12-03 20:41:00 UTC) #7

ihab.awad

12 years, 9 months ago (2012-12-03 20:57:34 UTC) #8

https://codereview.appspot.com/6843096/diff/11001/tests/com/google/caja/plugi...
File tests/com/google/caja/plugin/es53-test-domado-dom-guest.html (right):

https://codereview.appspot.com/6843096/diff/11001/tests/com/google/caja/plugi...
tests/com/google/caja/plugin/es53-test-domado-dom-guest.html:2081: //
TODO(kpreid): Add opaque and foreign nodes as test cases here.
Yippee! :) Thanks!

Expand All Messages | Collapse All Messages