freeze "unreachable" primordials #196
Comments
|
It also means that subgraphs that were supposed to be isolated from each other can use this shared mutable state to talk to each other --- even if they have no other use for it. |
|
Relevant issue thread tc39/ecma262#1417 |
|
In progress on the whitelist-2 branch. See https://github.com/Agoric/SES/issues/26#issuecomment-457676194 |
warner
referenced
this issue
in Agoric/SES
Feb 9, 2019
This fixes all known confinement leaks: * We now freeze AsyncGeneratorFunction and AsyncFunction, the last of the "anonymous" intrinsics (which are reachable by syntax but not simple property lookup). In the previous release, attacker code could modify their behavior (which defender code might have been relying upon) or use them as a communication channel. (#3, #41) * We now remove all unknown properties from the global object, using a special list of ones that are safe to expose. This protects us from surprising platform-specific objects, or newly-added standard JS objects that have not yet been examined for safety. The 'Intl' object is currently removed by this check (and `intlMode: "allow"` has been removed), but may be brought back in a future release. (#26) * RegExp.prototype.compile is removed unconditionally (even if regexpMode: "allow" is set), because it violates the semantics of Object.freeze It also improves usability: * Uncaught exceptions in Node.js are now rendered correctly when the `errorStackMode: "allow"` option is enabled. In the previous release, such exceptions were always displayed as "undefined", which was particularly unhelpful. If your program is abruptly exiting with "undefined", try turning this option on while you're debugging. But don't leave it on, because it probably enables a confinement breach. * SES is an ES6 module, but should now be importable with `require()` by other code which is unaware of ES6 modules, because it now uses the `esm` module internally. (#32) * `console.log` is now available within the confined code, if the `consoleMode: "allow"` option is enabled. If this is disabled, `console.log()` will throw a `TypeError` (since `console` is undefined, it has no `log` property). Many other `console` methods (but not all) are exposed too. (#35) SES now requires Node.js version 10 or later.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're currenly only freezing primordials that are reachable by property+prototype traversal from the RootRealm's global object. This misses things that are only reachable by syntax, like
ArrayIteratorPrototype. We need to get the full list (maybe fromanonIntrinsics.jsfor now, but ideally from some Realms API that will be updated as the platform adds new one) and add it to theprimordialRootsindeepFreeze.js.Until we do this, programs that use any of these primordials will not be defensive against attacker code that seeks to mutate them.
The text was updated successfully, but these errors were encountered: