[vulnerability] Incorrect global object contexts are applied in self-assignment expressions

[t2ym]

[vulnerability] Incorrect global object contexts are applied in self-assignment expressions

Root Cause

• context property of getter/setter functions of the wrapper property of $hook$.global().wrapperProperty is set before the assignment but modified to that for the RHS value during evaluation of the RHS, and then its ACL is applied on the assignment to the LHS property with the RHS context while the LHS context is expected.

Reproducible Code Example

/* /path.js */
var _global_A = 1;
({
  // /path.js,inaccessible should be applied 
  // but /path.js,inaccessible,accessible is actually applied
  inaccessible: _global_A = { 
    accessible: _global_A // RHS: /path.js,inaccessible,accessible
  }.accessible
});

Fix

• Modify the $hook$.global() to assure the correct contexts are always applied
  • context is included in the wrapper property name
• Before the fix

$hook$.global(__hook__, 'context', 'name', 'var')._p_name

• After the fix

$hook$.global(__hook__, 'context', 'name', 'var')['_p_name;context']