Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability][acl] ACL is skipped for source objects in Object.assign() #324

Closed
t2ym opened this issue Feb 3, 2020 · 0 comments
Closed

[vulnerability][acl] ACL is skipped for source objects in Object.assign() #324

t2ym opened this issue Feb 3, 2020 · 0 comments
Labels
no workaround vulnerability

Comments

@t2ym
Copy link
Owner

t2ym commented Feb 3, 2020

[vulnerability][acl] ACL is skipped for source objects in Object.assign()

Root Cause

  • Described in the issue title

Exploit Code

Object.assign({},window).caches;

Fix

  • Apply ACL for each source object in S_TARGETED normalization
diff --git a/demo/hook-callback.js b/demo/hook-callback.js
index 7f0b54f3..5e29075c 100644
--- a/demo/hook-callback.js
+++ b/demo/hook-callback.js
@@ -4839,6 +4839,12 @@ else {
                       if (_args[1][1] instanceof Object) {
                         rawProperty = [];
                         for (let i = 1; i < _args[1].length; i++) {
+                          let _obj = _args[1][i];
+                          let _name = _globalObjects.get(_obj);
+                          if (!applyAcl(_name, true, false, S_ALL, 'r', context, _obj, _args, arguments)) {
+                            result = [_name, true, false, S_ALL, 'r', context, _obj, _args, arguments];
+                            throw new Error('Permission Denied: Cannot access ' + SetMap.getStringValues(_name));
+                          }
                           // TODO: Are inherited properties targeted?
                           rawProperty = rawProperty.concat(Object.keys(_args[1][i]));
                         }
@@ -6278,6 +6284,12 @@ else {
                       if (_args[1][1] instanceof Object) {
                         rawProperty = [];
                         for (let i = 1; i < _args[1].length; i++) {
+                          let _obj = _args[1][i];
+                          let _name = _globalObjects.get(_obj);
+                          if (!applyAcl(_name, true, false, S_ALL, 'r', context, _obj, _args, arguments)) {
+                            result = [_name, true, false, S_ALL, 'r', context, _obj, _args, arguments];
+                            throw new Error('Permission Denied: Cannot access ' + SetMap.getStringValues(_name));
+                          }
                           // TODO: Are inherited properties targeted?
                           rawProperty = rawProperty.concat(Object.keys(_args[1][i]));
                         }
t2ym added a commit that referenced this issue Feb 3, 2020
@t2ym
[vulnerability][acl] Rebuild with Fix #324 Apply ACL for S_TARGETED n…
ebcbc3b 
…ormalized properties with S_ALL normalized property
@t2ym t2ym closed this as completed in 9ff53e8 Feb 3, 2020
t2ym added a commit that referenced this issue Feb 3, 2020
@t2ym
0.4.0-alpha.3 [README] Update README for Fix #324 Apply ACL for S_TAR…
decc772 
…GETED normalized properties with S_ALL normalized property
t2ym added a commit that referenced this issue Feb 3, 2020
@t2ym
0.4.0-alpha.3 [vulnerability][acl] Fix #324 Apply ACL for source obje…
354a190 
…cts in Object.assign()
@t2ym t2ym mentioned this issue Feb 7, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no workaround vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t2ym