[vulnerability][acl] Fix #324 Apply ACL for S_TARGETED normalized properties with S_ALL normalized property

t2ym · t2ym · commit 9ff53e89cc0e · 2020-02-03T15:31:53.000+09:00
diff --git a/demo/hook-callback.js b/demo/hook-callback.js
@@ -711,7 +711,7 @@ else {
     '/components/thin-hook/demo/es6-module4.js,f': '@import.meta_reader,f',
     '/components/thin-hook/demo/es6-module4.js,f,*': '@import.meta_reader,f',
     '/components/polymer/lib/utils/async.html,script@566,timeOut,run': '@setTimeout_reader',
-    '/components/thin-hook/demo/,script@5966': '@document_writer',
+    '/components/thin-hook/demo/,script@4751': '@document_writer',
     '/components/thin-hook/demo/,script@5963': '@document_writer',
     '/components/thin-hook/demo/,script@5964': '@document_writer',
     '/components/thin-hook/demo/sub-document.html,*': '@document_writer',
@@ -4839,6 +4839,12 @@ else {
                       if (_args[1][1] instanceof Object) {
                         rawProperty = [];
                         for (let i = 1; i < _args[1].length; i++) {
+                          let _obj = _args[1][i];
+                          let _name = _globalObjects.get(_obj);
+                          if (!applyAcl(_name, true, false, S_ALL, 'r', context, _obj, _args, arguments)) {
+                            result = [_name, true, false, S_ALL, 'r', context, _obj, _args, arguments];
+                            throw new Error('Permission Denied: Cannot access ' + SetMap.getStringValues(_name));
+                          }
                           // TODO: Are inherited properties targeted?
                           rawProperty = rawProperty.concat(Object.keys(_args[1][i]));
                         }
@@ -6278,6 +6284,12 @@ else {
                       if (_args[1][1] instanceof Object) {
                         rawProperty = [];
                         for (let i = 1; i < _args[1].length; i++) {
+                          let _obj = _args[1][i];
+                          let _name = _globalObjects.get(_obj);
+                          if (!applyAcl(_name, true, false, S_ALL, 'r', context, _obj, _args, arguments)) {
+                            result = [_name, true, false, S_ALL, 'r', context, _obj, _args, arguments];
+                            throw new Error('Permission Denied: Cannot access ' + SetMap.getStringValues(_name));
+                          }
                           // TODO: Are inherited properties targeted?
                           rawProperty = rawProperty.concat(Object.keys(_args[1][i]));
                         }
diff --git a/demo/normalize.js b/demo/normalize.js
@@ -1866,6 +1866,10 @@
     let cannotAccessNavigator = navigator;
   }, /^Permission Denied:/);
 
+  chai.assert.throws(() => {
+    Object.assign({}, window).caches;
+  }, /^Permission Denied:/);
+
 }
 () => {
   let target, property, value, attributes, proto, prototype, receiver, args, arg1, arg2, p, v;
