Issue metadata
Sign in to add a comment
|
Security: Promise constructor can be used to bypass Function constructor restrictions |
||||||||||||||||||||||
Issue descriptionIn issue 656274 , pimvdb@live.nl provided the following work around for the security restrictions on the Function constructor: var parent_Promise = fetch.call(parent).constructor; var parent_Function = parent_Promise.constructor; new parent_Promise(function(resolve) { resolve(); }).then(function() { var f = new parent_Function("document.body.style.backgroundColor = 'red';"); f(); }); fetch.call(parent) giving you a promise from the wrong realm is already fixed, however, if we have another bug where you can get hold of a promise from the wrong context, this work around would still apply, so we should fix it. I consider adding a call to our access check to the promise constructor (Bultins::AllowDynamicFunction). Probably makes sense to add a fast-path for when the promise constructor's realm and the current realm are the same.
,
Oct 21 2016
What's special about Promise here? Doesn't this apply to any object?
,
Oct 21 2016
when we execute microtasks, we enter the context of the promise, but we lost the rest of the stack, so we can't check beyond the promise's context.
,
Oct 23 2016
,
Oct 23 2016
,
Oct 23 2016
,
Oct 24 2016
Are Promises the only problem here, or does this occur with other async callbacks from the browser?
,
Oct 26 2016
e.g. setTimeout does an access check internally (as hopefully all others do as well): https://cs.chromium.org/chromium/src/out/Debug/gen/blink/bindings/core/v8/V8Window.cpp?rcl=1477451763&l=5877
,
Nov 2 2016
,
Nov 16 2016
jochen: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 30 2016
jochen: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b361b59fffe5480ebd3eacda9d4a4274d43f8a95 commit b361b59fffe5480ebd3eacda9d4a4274d43f8a95 Author: gsathya <gsathya@chromium.org> Date: Thu Dec 01 21:09:44 2016 [promises] Move promise constructor to TFS BUG= v8:5343 ,chromium:660947, chromium:658194 Review-Url: https://codereview.chromium.org/2497523002 Cr-Commit-Position: refs/heads/master@{#41438} [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/bootstrapper.cc [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/builtins/builtins-promise.cc [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/builtins/builtins.h [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/contexts.h [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/isolate.cc [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/js/promise.js [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/objects-inl.h [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/objects.h [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/runtime/runtime-promise.cc [modify] https://crrev.com/b361b59fffe5480ebd3eacda9d4a4274d43f8a95/src/runtime/runtime.h
,
Dec 19 2016
Anything more to be done here, or can we close this as Fixed?
,
Dec 21 2016
we still need to implement the actual check
,
Jan 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/81c62e070b8656432899fc17b46b882bfcf1d59a commit 81c62e070b8656432899fc17b46b882bfcf1d59a Author: jochen <jochen@chromium.org> Date: Thu Jan 12 11:33:51 2017 Do security checks in the promise constructor Since we only can do limited checks during microtask execution, do the checks before actually creating a promise BUG= chromium:658194 R=bmeurer@chromium.org,gsathya@chromium.org Review-Url: https://codereview.chromium.org/2628863002 Cr-Commit-Position: refs/heads/master@{#42265} [modify] https://crrev.com/81c62e070b8656432899fc17b46b882bfcf1d59a/include/v8.h [modify] https://crrev.com/81c62e070b8656432899fc17b46b882bfcf1d59a/src/builtins/builtins-promise.cc [modify] https://crrev.com/81c62e070b8656432899fc17b46b882bfcf1d59a/src/builtins/builtins-promise.h [modify] https://crrev.com/81c62e070b8656432899fc17b46b882bfcf1d59a/src/code-stub-assembler.cc [modify] https://crrev.com/81c62e070b8656432899fc17b46b882bfcf1d59a/src/code-stub-assembler.h [modify] https://crrev.com/81c62e070b8656432899fc17b46b882bfcf1d59a/src/runtime/runtime-internal.cc [modify] https://crrev.com/81c62e070b8656432899fc17b46b882bfcf1d59a/src/runtime/runtime.h [modify] https://crrev.com/81c62e070b8656432899fc17b46b882bfcf1d59a/test/mjsunit/cross-realm-filtering.js
,
Jan 12 2017
,
Jan 12 2017
,
Mar 6 2017
,
Mar 6 2017
,
Apr 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by hablich@chromium.org
, Oct 21 2016