Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability][demo][acl] Workers from blob URLs are not hooked #249

Closed
t2ym opened this issue Apr 22, 2018 · 0 comments
Closed

[vulnerability][demo][acl] Workers from blob URLs are not hooked #249

t2ym opened this issue Apr 22, 2018 · 0 comments
Labels
vulnerability

Comments

@t2ym
Copy link
Owner

t2ym commented Apr 22, 2018
edited
Loading

[vulnerability][demo][acl] Workers from blob URLs are not hooked

Root Cause

  • No ACLs for Worker/SharedWorker constructor arguments against blob: URLs

Notes

  • Considering how to hook blob: worker scripts
  • Block them for now as a quick fix

Reproducible Code Example

  let blob = new Blob([`
    onmessage = (event) => {
      caches.keys().then(keys => postMessage(keys[0]));
    }
  `], { type: 'text/javascript' });
  let blobUrl = URL.createObjectURL(blob);
  let worker = new Worker(blobUrl);

  worker.addEventListener('message', function onMessage(event) {
    console.log('web-worker-client.js: received message', event.data);
    chai.assert.isOk(event.data.startsWith('version_'), 'blob worker result');
  });
  let message = [];
  console.log('web-worker-client.js: posting message ', JSON.stringify(message));
  worker.postMessage(message);

ACLs to block blob: and data: URLs for Worker/SharedWorker

    Worker: {
      [S_OBJECT]: {
        [S_DEFAULT]: '---',
        '@worker_manipulator': function _WorkerAcl(normalizedThisArg,
                                                   normalizedArgs /* ['property', args], ['property', value], etc. */,
                                                   aclArgs /* [name, isStatic, isObject, property, opType, context] */,
                                                   hookArgs /* [f, thisArg, args, context, newTarget] */,
                                                   applyAcl /* for recursive application of ACL */) {
          let opType = aclArgs[4];
          if (opType === 'x') {
            let url = normalizedArgs[0].trim().toLowerCase();
            if (url.startsWith('blob:') || url.startsWith('data:')) {
              return false;
            }
          }
          return '--x'[opTypeMap[opType]] === opType; // equivalent to '--x' acl
        },
      },
      [S_DEFAULT]: '---',
      [S_ALL]: '---',
      [S_PROTOTYPE]: {
        [S_DEFAULT]: '---',
        [S_ALL]: '---',
        [S_INSTANCE]: {
          [S_DEFAULT]: '---',
          '@worker_manipulator': 'rwx',
        },
      },
    },
    SharedWorker: {
      [S_OBJECT]: {
        [S_DEFAULT]: '---',
        '@shared_worker_manipulator': function _WorkerAcl(normalizedThisArg,
                                                          normalizedArgs /* ['property', args], ['property', value], etc. */,
                                                          aclArgs /* [name, isStatic, isObject, property, opType, context] */,
                                                          hookArgs /* [f, thisArg, args, context, newTarget] */,
                                                          applyAcl /* for recursive application of ACL */) {
          let opType = aclArgs[4];
          if (opType === 'x') {
            let url = normalizedArgs[0].trim().toLowerCase();
            if (url.startsWith('blob:') || url.startsWith('data:')) {
              return false;
            }
          }
          return '--x'[opTypeMap[opType]] === opType; // equivalent to '--x' acl
        },
      },
      [S_DEFAULT]: '---',
      [S_ALL]: '---',
      [S_PROTOTYPE]: {
        [S_DEFAULT]: '---',
        [S_ALL]: '---',
        [S_INSTANCE]: {
          [S_DEFAULT]: '---',
          '@shared_worker_manipulator': 'rwx',
        },
      },
    },
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t2ym