New issue
Advanced search Search tips

Issue 645328 link

Starred by 1 user
Status: Fixed
Owner:
sdy@chromium.org
Closed: Sep 2016
Cc:
alph@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

Page code can execute when autocomplete triggered

Project Member Reported by monette@google.com, Sep 9 2016 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36

Steps to reproduce the problem:
1. Run in the page or console: Object.prototype.__defineSetter__('potato', () => { console.log("foo"); }); 
2. Type into the Developer Tools console (hitting return not required).
3. "foo" should be logged to the console for each keystroke.

What is the expected behavior?

What went wrong?
Autocomplete in the console is not sandboxed from page-defined code.

Did this work before? No 

Chrome version: 53.0.2785.92  Channel: n/a
OS Version: 
Flash Version: Shockwave Flash 22.0 r0

Comment 1 by sdy@chromium.org, Sep 9 2016

Components: -Platform>DevTools Platform>DevTools>Editing
Labels: -OS-Linux OS-All
Status: Untriaged (was: Unconfirmed)
Summary: Page code can execute when autocomplete triggered (was: Page code can execute when autocomplete triggered by )

Comment 2 by sdy@chromium.org, Sep 9 2016

Owner: alph@chromium.org
Status: Assigned (was: Untriaged)
This fixes the immediate problem:
https://codereview.chromium.org/2324093002/

A better solution might involve inspecting the page's environment without running code in it. I don't usually work on this part of the browser so I'm not sure how realistic that is :). (…or if the current behavior is even considered a bug.)

Comment 3 by sdy@chromium.org, Sep 9 2016 

Forgot to attach screen recordings.
console_setter_before.mov
300 KB Download
console_setter_after.mov
450 KB Download
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 9 2016

Labels: Hotlist-Google

Comment 5 by sdy@chromium.org, Sep 9 2016

Labels: allpublic
Nothing secret in those attachments.
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 9 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c1431e19823dc2a0487197185795ffbe20d5a88f

commit c1431e19823dc2a0487197185795ffbe20d5a88f
Author: sdy <sdy@chromium.org>
Date: Fri Sep 09 22:07:06 2016

Don't trigger Object.prototype setters when generating completions

Autocomplete gets its candidates for completion by running a function in
the context of the page. If we use a plain object to hold results, we'll
end up triggering any setters that the page added to Object.prototype.

Using a prototype-less object avoids this, but a page could still
interfere by replacing Object.create (or Object.getPrototypeOf, String,
Number, Boolean...).

BUG= 645328 

Review-Url: https://codereview.chromium.org/2324093002
Cr-Commit-Position: refs/heads/master@{#417729}

[modify] https://crrev.com/c1431e19823dc2a0487197185795ffbe20d5a88f/third_party/WebKit/Source/devtools/front_end/sdk/RuntimeModel.js

Comment 7 by sdy@chromium.org, Sep 9 2016

Cc: alph@chromium.org
Owner: sdy@chromium.org
Status: Fixed (was: Assigned)

Comment 8 by paulir...@chromium.org, Sep 29 2016

Components: Platform>DevTools>Authoring

Comment 9 by paulir...@chromium.org, Sep 29 2016

Components: Platform>DevTools

Sign in to add a comment