Fix #398 and Fix #399 Add targetConfig.policy.unchainAcl config to unchain policy objects to Object.prototype

Author: t2ym

demo-config/config.js

@@ -824,6 +824,8 @@ class TargetConfig extends Injectable(Traceable(Configurable(GulpDefaultRegistry
       __hook__min: true, // undefined to skip including plugins/policy/__hook__min.js
       // @ifdef argument to include/exclude hookBenchmark() in hook-callback.js
       hookBenchmark: true, // undefined to exclude hookBenchmark()
+      // @ifdef argument to unchain ACL policy objects if they are chained directly to Object.prototype
+      //unchainAcl: true, // uncomment this argument to enable vulnerability fix for #398 and #399
       // postfix to the hook callback function name __hook__
       __hook__callback: 'acl', // '': __hook__, 'acl': __hook__acl, 'min': __hook__min
       // TODO: modify plugin/policy/hook-callback.js to use hook.parameters.emptyDocumentUrl

demo-config/policy/basePolicyModule.js

@@ -424,6 +424,21 @@ acl: {
       '@HTMLElement_prototype_reader': 'r--',
       '@Object_prototype_reader': 'r-x',
       '@window_enumerator': 'r--R-',
+/* @ifdef unchainAcl */
+      $toString$: {
+        [S_DEFAULT]: '---',
+        '@Object_assign_reader': 'r--',
+        '@Object_prototype_reader': 'r-x',
+        '@chai_js': 'r--',
+        '@deepcopy': 'r--',
+      },
+      $hasOwnProperty$: {
+        [S_DEFAULT]: '---',
+        '@firebase_auth': 'r--',
+        '@firebase_app': 'r--',
+        '@firebase_database': 'r--',
+      },
+/* @endif */
       [S_INSTANCE]: {
         $__proto__$: 'rwx',
         $constructor$: 'rwxRW',

plugins/policy/Policy.js

@@ -817,6 +817,35 @@ Copyright (c) 2017, 2018, 2019, 2020 Tetsuya Mori <[email protected]>. All ri
       }
       chainAcl(acl);
     }
+/* @ifdef unchainAcl */
+    static unchainAcl(acl) {
+      const unchainAcl = function unchainAcl(_acl, path = [ [_acl, 'acl'] ]) {
+        let properties = Object.getOwnPropertySymbols(_acl).concat(Object.getOwnPropertyNames(_acl));
+        if (!_acl[S_CHAIN]) {
+          Reflect.setPrototypeOf(_acl, null);
+        }
+        for (let property of properties) {
+          if (property === S_CHAIN) {
+          }
+          else {
+            let __acl = _acl[property];
+            switch (typeof __acl) {
+            case 'object':
+              if (__acl) {
+                path.push([__acl, property]);
+                unchainAcl(__acl, path);
+                path.pop();
+              }
+              break;
+            default:
+              break;
+            }
+          }
+        }
+      }
+      unchainAcl(acl);
+    }
+/* @endif */
     static mergeAcl(target, ...sources) {
       const originalTarget = target;
       const mergeAcl = function mergeAcl(target, source) {
@@ -1352,23 +1381,38 @@ Copyright (c) 2017, 2018, 2019, 2020 Tetsuya Mori <[email protected]>. All ri
                 case 'undefined':
                   _acl = Reflect.has(_acl, property)
                     ? isGlobal
+/* @ifndef unchainAcl */
                       ? _acl[property] instanceof Object && Reflect.has(_acl[property], S_OBJECT)
+/* @endif */
+/* @ifdef unchainAcl */
+                      ? _acl[property] && typeof _acl[property] === 'object' && Reflect.has(_acl[property], S_OBJECT)
+/* @endif */
                         ? _acl[property][S_OBJECT]
                         : _acl[property]
                       : _acl[property]
                     : Reflect.has(_acl, context)
                       ? context === S_DEFAULT
                         ? isGlobal
                           ? Reflect.has(acl, property)
+/* @ifndef unchainAcl */
                             ? acl[property] instanceof Object && Reflect.has(acl[property], S_OBJECT)
+/* @endif */
+/* @ifdef unchainAcl */
+                            ? acl[property] && typeof acl[property] === 'object' && Reflect.has(acl[property], S_OBJECT)
+/* @endif */
                               ? acl[property][S_OBJECT]
                               : acl[property]
                             : acl[S_GLOBAL]
                           : _acl[context]
                         : _acl[context]
                       : isGlobal
                         ? Reflect.has(acl, property)
+/* @ifndef unchainAcl */
                           ? acl[property] instanceof Object && Reflect.has(acl[property], S_OBJECT)
+/* @endif */
+/* @ifdef unchainAcl */
+                          ? acl[property] && typeof acl[property] === 'object' && Reflect.has(acl[property], S_OBJECT)
+/* @endif */
                             ? acl[property][S_OBJECT]
                             : acl[property]
                           : acl[S_GLOBAL]
@@ -1395,23 +1439,38 @@ Copyright (c) 2017, 2018, 2019, 2020 Tetsuya Mori <[email protected]>. All ri
                     for (_property of property) {
                       __acl = Reflect.has(_acl, property)
                         ? isGlobal
+/* @ifndef unchainAcl */
                           ? _acl[property] instanceof Object && Reflect.has(_acl[property], S_OBJECT)
+/* @endif */
+/* @ifdef unchainAcl */
+                          ? _acl[property] && typeof _acl[property] === 'object' && Reflect.has(_acl[property], S_OBJECT)
+/* @endif */
                             ? _acl[property][S_OBJECT]
                             : _acl[property]
                           : _acl[property]
                         : Reflect.has(_acl, context)
                           ? context === S_DEFAULT
                             ? isGlobal
                               ? Reflect.has(acl, property)
+/* @ifndef unchainAcl */
                                 ? acl[property] instanceof Object && Reflect.has(acl[property], S_OBJECT)
+/* @endif */
+/* @ifdef unchainAcl */
+                                ? acl[property] && typeof acl[property] === 'object' && Reflect.has(acl[property], S_OBJECT)
+/* @endif */
                                   ? acl[property][S_OBJECT]
                                   : acl[property]
                                 : acl[S_GLOBAL]
                               : _acl[context]
                             : _acl[context]
                           : isGlobal
                             ? Reflect.has(acl, property)
+/* @ifndef unchainAcl */
                               ? acl[property] instanceof Object && Reflect.has(acl[property], S_OBJECT)
+/* @endif */
+/* @ifdef unchainAcl */
+                              ? acl[property] && typeof acl[property] === 'object' && Reflect.has(acl[property], S_OBJECT)
+/* @endif */
                                 ? acl[property][S_OBJECT]
                                 : acl[property]
                               : acl[S_GLOBAL]

plugins/policy/__hook__.js

@@ -328,7 +328,7 @@ Copyright (c) 2017, 2018, 2019, 2020 Tetsuya Mori <[email protected]>. All ri
             }
           }
         }
-        if (!name && normalizedThisArg instanceof Object) {
+        if (!name && normalizedThisArg instanceof Object/* @ifdef unchainAcl */ || normalizedThisArg === Object.prototype/* @endif */) {
           [name, isStatic, isObject] = detectName(normalizedThisArg, boundParameters);
         }
         let rawProperty = _args[0];

plugins/policy/__hook__acl.js

@@ -243,7 +243,7 @@ Copyright (c) 2017, 2018, 2019, 2020 Tetsuya Mori <[email protected]>. All ri
             }
           }
         }
-        if (!name && normalizedThisArg instanceof Object) {
+        if (!name && normalizedThisArg instanceof Object/* @ifdef unchainAcl */ || normalizedThisArg === Object.prototype/* @endif */) {
           [name, isStatic, isObject] = detectName(normalizedThisArg, boundParameters);
         }
         let rawProperty = _args[0];

plugins/policy/hook-callback.js

@@ -245,6 +245,9 @@ else {
       'hookBenchmark',
     ]);
     Policy.chainAcl(acl);
+/* @ifdef unchainAcl */
+    Policy.unchainAcl(acl);
+/* @endif */
     Policy.proxyAcl(acl);
     Policy.resolveBareSpecifierAcl(acl);
     Policy.generatePrefixedModuleNames(acl);