[vulnerability][acl] ACL is skipped for accessing any properties of an object destructured into function arguments

[t2ym]

ACL is skipped for accessing any properties of an object destructured into function arguments

Root Cause

• Destructured object property access in function arguments are not checked for ACL

Reproducible Code

function f({ caches: c }) { return c; } f(window);
/* variants
  function expression
  async function
  generator function
  arrow function
  async arrow function
  class constructor
  class static method
  class method
  object shorthand method
  etc.
*/

Fix

• Check "*"(S_ALL) property access of each function argument object if it is destructured into object properties or array elements
• Examples

  // original (function declaration)
  function f({caches: c}) { return c; }
  // hooked
  function f({caches: c}) {
    for (let arg of arguments)
      __hook__('#*', arg, [], _c_[0]);
    return __hook__(({caches: c}) => {
      return c;
    }, null, arguments, _c_[0]);
  }

  // original (arrow function)
  ({caches: c}) => c;
  // hooked
  (...args) => __hook__(({caches: c}) => c, null,
    args.map(arg => __hook__('#*', arg, [], _c_[0])), _c_[0]);

Notes

• The ACL is always checked against all properties access "*" even when only specific properties are accessed in destructuring

[t2ym]

#328 was misused in the commit descriptions for this issue #331