V8 sheriffs: please triage this urgently, thanks!

yukishiino: Do you have any idea on how to fix this? We somehow need to make sure that global->Get("privateScriptController") returns the PrivateScriptController object in PrivateScriptRunner.js without being hijacked by named properties of the window object...

Why don't we use a v8::PrivateProperty to store the instance of PrivateScriptController?  Is there any reason that we cannot use v8::PrivateProperty?

Another option is to fix the order of named properties look-up, and to make the property unconfigurable.  The latest spec says that own properties must have priority over named properties.

> Why don't we use a v8::PrivateProperty to store the instance of PrivateScriptController?  Is there any reason that we cannot use v8::PrivateProperty?

The problem is that the property is set by PrivateScriptController.js and then used by PrivateScriptController.cpp. There's no easy way to share the PrivateProperty between .js and .cpp (although it's doable by somehow passing an object between .js and .cpp).

> The latest spec says that own properties must have priority over named properties.

And they do, the problem here is that there's no own property if the privateScriptController property hasn't been set yet.

Please see https://codereview.chromium.org/2529163002 for a potential fix. If the idea looks good, I'll add a test etc.

LGTMed the fix, thanks!!

The fix looks good.

re: #7

We knew the filepath to PrivateScriptController.js and ran it from Blink, then we can get the return value (the value evaluated at last) of PrivateScriptController.js, right?

In pseudo code, we can do the following, I thought.
    v8::Local<v8::Value> privateScriptController = compileAndRun("PrivateScriptController.js");
    V8PrivateProperty::createSymbol("Window#PrivateScriptController").set(window, privateScriptController);

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c093b7a74ddce32dd3b0e0be60f31becc6ce32f9

commit c093b7a74ddce32dd3b0e0be60f31becc6ce32f9
Author: marius.mlynski <marius.mlynski@gmail.com>
Date: Mon Nov 28 10:18:01 2016

Don't touch the prototype chain to get the private script controller.

Prior to this patch, private scripts attempted to get the
"privateScriptController" property off the global object without verifying if
the property actually exists on the global. If the property hasn't been set yet,
this operation could descend into the prototype chain and potentially return
a named property from the WindowProperties object, leading to release asserts
and general confusion.

BUG= 668552 

Review-Url: https://codereview.chromium.org/2529163002
Cr-Commit-Position: refs/heads/master@{#434627}

[add] https://crrev.com/c093b7a74ddce32dd3b0e0be60f31becc6ce32f9/third_party/WebKit/LayoutTests/fast/dom/marquee-named-property-crash-expected.txt
[add] https://crrev.com/c093b7a74ddce32dd3b0e0be60f31becc6ce32f9/third_party/WebKit/LayoutTests/fast/dom/marquee-named-property-crash.html
[modify] https://crrev.com/c093b7a74ddce32dd3b0e0be60f31becc6ce32f9/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp
[modify] https://crrev.com/c093b7a74ddce32dd3b0e0be60f31becc6ce32f9/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.js

haraken: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Your change meets the bar and is auto-approved for M56 (branch: 2924)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/267649a3f59fc0beec78d95dfc283cdb367da6b9

commit 267649a3f59fc0beec78d95dfc283cdb367da6b9
Author: Kentaro Hara <haraken@chromium.org>
Date: Wed Dec 14 01:44:11 2016

Don't touch the prototype chain to get the private script controller.

Prior to this patch, private scripts attempted to get the
"privateScriptController" property off the global object without verifying if
the property actually exists on the global. If the property hasn't been set yet,
this operation could descend into the prototype chain and potentially return
a named property from the WindowProperties object, leading to release asserts
and general confusion.

BUG= 668552 

Review-Url: https://codereview.chromium.org/2529163002
Cr-Commit-Position: refs/heads/master@{#434627}
(cherry picked from commit c093b7a74ddce32dd3b0e0be60f31becc6ce32f9)

Review-Url: https://codereview.chromium.org/2574523004 .
Cr-Commit-Position: refs/branch-heads/2924@{#485}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[add] https://crrev.com/267649a3f59fc0beec78d95dfc283cdb367da6b9/third_party/WebKit/LayoutTests/fast/dom/marquee-named-property-crash-expected.txt
[add] https://crrev.com/267649a3f59fc0beec78d95dfc283cdb367da6b9/third_party/WebKit/LayoutTests/fast/dom/marquee-named-property-crash.html
[modify] https://crrev.com/267649a3f59fc0beec78d95dfc283cdb367da6b9/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp
[modify] https://crrev.com/267649a3f59fc0beec78d95dfc283cdb367da6b9/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.js

Congratulations, $7,500 for this!

+$500 for the patch - thanks!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot