0.1.13-stack.6 with Issue #266 Block access to non-native global properties

Author: t2ym

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "thin-hook",
-  "version": "0.1.13-stack.5",
+  "version": "0.1.13-stack.6",
   "description": "Thin Hook Preprocessor",
   "main": "hook.min.js",
   "authors": [

demo/cache-bundle.json

@@ -137,6 +137,32 @@ default:
   console.log('test: checkLocation:', result);
   chai.assert.equal(result, 'about:blank', 'location is about:blank');
 
+  await page.goto(targetURL);
+  console.log('goto', targetURL);
+  await page.waitFor(15000);
+  console.log('waitFor(15000)');
+  result = await page.evaluate(function getPolymer() {
+    try {
+      return Polymer.name;
+    }
+    catch (error) {
+      return error.message;
+    }
+  });
+  console.log('test: getPolymer:', result);
+  chai.assert.equal(result, 'Cannot read property \'name\' of undefined', 'cannot access non-native global property Polymer');
+  await page.waitFor(1000);
+  result = await page.evaluate(function checkLocation() {
+    try {
+      return location.href;
+    }
+    catch (error) {
+      return error.message;
+    }
+  });
+  console.log('test: checkLocation:', result);
+  chai.assert.equal(result, 'about:blank', 'location is about:blank');
+
   // end of tests
 
   // start generation of cache-bundle.json

demo/cacheBundleGeneration.js

@@ -6,7 +6,7 @@
 <html>
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&no-hook-authorization=4aa0b68a6232155166756cd26df3a813d93ec6a6814f6a5db2c2cb00ad5ee037,log-no-hook-authorization"></script>
+  <script src="../../thin-hook/hook.min.js?no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&no-hook-authorization=b4b2643ab3d6fb31e43e00678f4162bc387c56276c425ffd1b212c54bb68cb0a,log-no-hook-authorization"></script>
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>
   <script context-generator src="bootstrap.js?no-hook=true"></script>

demo/empty-document.html

@@ -34,6 +34,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
   const Symbol = self.Symbol;
   const JSON = self.JSON;
   const URL = self.URL;
+  let wrapGlobalProperty; // = function (object, property, objectName); assigned at the bottom of this script
   class Stack {
     constructor(stack) {
       // Note: O(1)
@@ -4395,6 +4396,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
 
     let result;
     try {
+      let globalAssignments;
       if (otherWindowObjectsStatus.set) {
         let _Object;
         switch (typeof f) {
@@ -4593,7 +4595,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
         let op = operatorNormalizer[_f];
         let target = targetNormalizer[op];
         let opType;
-        let globalAssignments = {};
+        globalAssignments = {};
         if (typeof target === 'object') {
           do {
             if (normalizedThisArg instanceof Object) {
@@ -5775,6 +5777,14 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
           break;
         }
       }
+      if (globalAssignments) {
+        if (_global.constructor.name === 'Window') {
+          for (let name in globalAssignments) {
+            wrapGlobalProperty([_global, name, 'window']);
+          }
+        }
+      }
+
       lastContext = _lastContext;
       // if (contextStack[contextStack.length - 1] !== context) { debugger; }
       contextStack.pop();
@@ -5802,6 +5812,8 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
 
     let result;
     try {
+      let hasGlobalAssignments = false;
+      let globalAssignments;
       if (otherWindowObjectsStatus.set) {
         let _Object;
         switch (typeof f) {
@@ -5999,8 +6011,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
         let property = _escapePlatformProperties.get(rawProperty) || rawProperty;
         let target = targetNormalizerMapObject.get(_f);
         let opType;
-        let hasGlobalAssignments = false;
-        let globalAssignments = {};
+        globalAssignments = {};
         if (typeof target === 'object') {
           do {
             if (normalizedThisArg instanceof Object) {
@@ -6994,6 +7005,14 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
           break;
         }
       }
+      if (hasGlobalAssignments) {
+        if (_global.constructor.name === 'Window') {
+          for (let name in globalAssignments) {
+            wrapGlobalProperty([_global, name, 'window']);
+          }
+        }
+      }
+
       lastContext = _lastContext;
       // if (contextStack[contextStack.length - 1] !== context) { debugger; }
       contextStack.pop();
@@ -7587,10 +7606,9 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
   [
   ].forEach(url => whitelist.add(url));
   const wildcardWhitelist = [
+    new RegExp('^at ([^(]* [(])?' + origin + '/components/'), // trust the site contents including other components
     new RegExp('^at ([^(]* [(])?' + 'https://cdnjs.cloudflare.com/ajax/libs/vis/4[.]18[.]1/vis[.]min[.]js'),
     new RegExp('^at ([^(]* [(])?' + 'https://www.gstatic.com/charts/loader[.]js'),
-    new RegExp('^at ([^(]* [(])?' + origin + '/components/thin-hook/demo/'), // trust the site contents
-    new RegExp('^at ([^(]* [(])?' + origin + '/components/thin-hook/hook[.]min[.]js'), // trust thin-hook
   ];
   const excludes = new Set();
   [
@@ -7619,10 +7637,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
       }
       return false;
     };
-    [
-      [ _window, '*', 'window' ],
-      [ _Object.prototype, 'constructor', 'Object.prototype' ],
-    ].forEach(([object, properties, objectName]) => {
+    wrapGlobalProperty = function ([object, properties, objectName]) {
       let names;
       if (properties === '*') {
         names = _Object.getOwnPropertyNames(object);
@@ -7798,6 +7813,10 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
           // window.name is not configurable
         }
       });
-    });
+    };
+    [
+      [ _window, '*', 'window' ],
+      [ _Object.prototype, 'constructor', 'Object.prototype' ],
+    ].forEach(wrapGlobalProperty);
   }
 }

demo/hook-callback.js

@@ -15,7 +15,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?version=496&no-hook-authorization=4aa0b68a6232155166756cd26df3a813d93ec6a6814f6a5db2c2cb00ad5ee037,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&service-worker-ready=false"></script></head></html>
+  <script src="../../thin-hook/hook.min.js?version=496&no-hook-authorization=b4b2643ab3d6fb31e43e00678f4162bc387c56276c425ffd1b212c54bb68cb0a,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&service-worker-ready=false"></script></head></html>
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="disable-devtools.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>

demo/index.html

@@ -9,11 +9,11 @@
     //   hook.parameters.noHookAuthorizationFailed
     // JSONs are output to console in the learning mode
     //'*': true,
-    "86918c80ba22c6ddcb334179fe2a3b6819f6d176709f899bfa8434bb94b1ac2e": true, // hook.min.js
+    "6499a340728cc1bb3974ff2785b5de5a0031a0a4a829763aa3c9a70b2b97bf09": true, // hook.min.js
     "ba451c60ef71c0df971d17a7f84b0d35327042e8284b4372eb38ce73c6aa16e7": true, // demo/disable-devtools.js
     "7e0fcbf73f8a30d98082c497e4bec73f2b49e5bee70605bb8838aed035763868": true, // demo/context-generator.js
     "a66830bdcb5410a9b17ccc01ecda4e79fe9c9642085c6e386243930dc81b837a": true, // demo/bootstrap.js
-    "904267acdce972b1f9ab8481c1acd37e0bf55dc27c35095a7db77a64a56aeb3e": true, // demo/hook-callback.js
+    "db30a0e050e58454163cf7523ae11823b86c4104b362640d982b9b59a9e93fca": true, // demo/hook-callback.js
     "0979646683bec9b9682d974d549effb61b1fc981ad87dac76d44d0440d87b396": true, // demo/hook-native-api.js
     "e2e42b1f8c6c518b5878b5bd95d34c0f15e139a1afb6ab6a6642b6e81219d2c5": true, // demo/hook-worker.js
     "163ba1450660d02306936ad39a0b5977e042ba3270eca749fc30d98170e9be03": true, // demo/cache-bundle.js

demo/no-hook-authorization.js

@@ -15,7 +15,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?version=496&no-hook-authorization=4aa0b68a6232155166756cd26df3a813d93ec6a6814f6a5db2c2cb00ad5ee037,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&service-worker-ready=true"></script>
+  <script src="../../thin-hook/hook.min.js?version=496&no-hook-authorization=b4b2643ab3d6fb31e43e00678f4162bc387c56276c425ffd1b212c54bb68cb0a,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&service-worker-ready=true"></script>
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="disable-devtools.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>

demo/original-index.html

@@ -6,7 +6,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?no-hook=true&no-hook-authorization=4aa0b68a6232155166756cd26df3a813d93ec6a6814f6a5db2c2cb00ad5ee037,log-no-hook-authorization"></script>
+  <script src="../../thin-hook/hook.min.js?no-hook=true&no-hook-authorization=b4b2643ab3d6fb31e43e00678f4162bc387c56276c425ffd1b212c54bb68cb0a,log-no-hook-authorization"></script>
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>
   <script context-generator src='bootstrap.js?no-hook=true'></script>

demo/sub-document.html

@@ -6,7 +6,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?no-hook=true&no-hook-authorization=4aa0b68a6232155166756cd26df3a813d93ec6a6814f6a5db2c2cb00ad5ee037,log-no-hook-authorization"></script>
+  <script src="../../thin-hook/hook.min.js?no-hook=true&no-hook-authorization=b4b2643ab3d6fb31e43e00678f4162bc387c56276c425ffd1b212c54bb68cb0a,log-no-hook-authorization"></script>
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>
   <script context-generator src='bootstrap.js?no-hook=true'></script>

demo/sub-sub-document.html

@@ -1,6 +1,6 @@
 {
   "name": "thin-hook",
-  "version": "0.1.13-stack.5",
+  "version": "0.1.13-stack.6",
   "description": "Thin Hook Preprocessor",
   "main": "hook.js",
   "scripts": {