Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability][acl] By-value ACL is skipped for calls to non-with-scoped local functions #350

Closed
t2ym opened this issue Mar 8, 2020 · 0 comments
Closed

[vulnerability][acl] By-value ACL is skipped for calls to non-with-scoped local functions #350

t2ym opened this issue Mar 8, 2020 · 0 comments

Comments

@t2ym
Copy link
Owner

t2ym commented Mar 8, 2020
edited
Loading

[vulnerability][acl] By-value ACL is skipped for calls to non-with-scoped local functions

Root Cause

  • In a with-clause, ACL is skipped for calls to non-with-scoped local functions due to the hooked __with__ object have the property value true for the non-with-scoped local variables
  • true is not a function and cannot be tracked to the corresponding ACL

Reproducible Code

{
  let _parseInt = window.parseInt;
  let _Date = window.Date;
  with ({}) { // hooked as { _parseInt: true, _Date: true }
    _parseInt('1'); // ACL for window.parseInt is not applied
    new _Date(); // ACL for window.Date is not applied
  }
}

Fix

  • Append the target variable in the hooked argument
__hook__('w()', __with__, ['_parseInt', [1], (...args) => _parseInt(...args), _parseInt], _c_[0]);
__hook__('wnew', __with__, ['_parseInt', [], (...args) => new _Date(...args), _Date], _c_[0], false);
  • Pick up the target variable in Policy.defaultAcl() to get the object reference value and apply its ACL
t2ym added a commit that referenced this issue Mar 8, 2020
@t2ym
[demo][acl] Update normalize.js for verifying Fix #348, Fix #349, Fix #…
2d3b262 
…350, and Fix #351
t2ym added a commit that referenced this issue Mar 8, 2020
@t2ym
0.4.0-alpha.20 with [vulnerability][acl] Fix #348 tagged template lit…
cbaa935 
…erals, Fix #349 with function calls, Fix #350 local function calls in with clause
@t2ym t2ym closed this as completed in 8c167b5 Mar 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t2ym