Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability][demo][acl] Full ACLs are not applied to iframe.contentWindow #239

Closed
t2ym opened this issue Apr 12, 2018 · 0 comments
Closed

[vulnerability][demo][acl] Full ACLs are not applied to iframe.contentWindow #239

t2ym opened this issue Apr 12, 2018 · 0 comments
Labels
vulnerability

Comments

@t2ym
Copy link
Owner

t2ym commented Apr 12, 2018
edited
Loading

[demo][acl] Full ACLs are not applied to iframe.contentWindow

Root Cause

  • iframe.contentWindow has a different set of object chains and thus full ACLs are not applied for the global objects in the "different world".
    • For example, v instanceof Object does not work for the value v from the iframe.contentWindow even in hook-callback.js

Fix

  • Introduce global var otherWindowObjects = new Map() object, which is shared among frames and contains mapping of each window.Object to its corresponding window global object
  • Call otherWindowObjects.get(Object).__hook__() for objects from other iframes
    • console.error() if __hook__ is missing (TODO: Should throw an exception?)
  • If iframe.src is empty on attaching a load event handler, empty-document.html is loaded to the iframe so that hooking is available in the iframe.
  • iframe.contentDocument is blocked for now. (TODO item)

Workarounds (deprecated by the above fix)

  • No access to iframe.contentWindow and iframe.contentDocument
    HTMLIFrameElement: {
      [S_CHAIN]: () => acl.HTMLElement,
      [S_PROTOTYPE]: {
        [S_CHAIN]: S_CHAIN,
        [S_INSTANCE]: {
          [S_CHAIN]: S_CHAIN,
          contentDocument: '---',
          contentWindow: '---',
        },
      },
    },
  • Mitigate risks by giving minimal access to iframe.contentWindow
diff --git a/demo/hook-callback.js b/demo/hook-callback.js
index e12aaf2..f099ff7 100644
--- a/demo/hook-callback.js
+++ b/demo/hook-callback.js
@@ -627,6 +627,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
     '/components/thin-hook/demo/normalize.js,readProperty': '@GetterSetterClass_reader',
     '/components/thin-hook/demo/my-view3.html,script@1841,attached': '@iframe_contentWindow_accessor',
     'https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.5.0/Chart.min.js,41,o': '@iframe_contentWindow_accessor',
+    'https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.5.0/Chart.min.js,26': '@iframe_contentWindow_accessor',
   };
   /*
     Prefixed Contexts object:
@@ -1827,7 +1828,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
                                                                                applyAcl /* for recursive application of ACL */) {
               let opType = aclArgs[4];
               if (opType === 'r') {
-                Policy.trackClass('window', normalizedThisArg[normalizedArgs[0]]);
+                Policy.trackClass('iframe.contentWindow', normalizedThisArg[normalizedArgs[0]]);
               }
               return 'r--'[opTypeMap[opType]] === opType; // equivalent to 'r--' acl
             },
@@ -1835,6 +1836,13 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
         },
       },
     },
+    'iframe.contentWindow': {
+      [S_DEFAULT]: '---',
+      addEventListener: {
+        [S_DEFAULT]: '---',
+        '@iframe_contentWindow_accessor': 'r-x',
+      },
+    },
     HTMLHtmlElement: {
       [S_CHAIN]: () => acl.HTMLElement,
     },

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t2ym