console API on XS: compatibility, security impact? #2146
Comments
|
In the xsnap design landed this week, the console methods are all noop: |
|
@kriskowal notes in #2225 (comment) that our vat managers provide an incomplete |
add TODO re other console methods with pointer to Agoric#2146
* feat(xsnap): setImmediate and print In addition to detecting XS Machine quiescense so we can safely take snapshots, the supervisor has to detect vat queiscense so it can tell when a delivery is done. I have resorted to ad-hoc `fprintf()` at the C level for debugging enough to justify restoring print. Here we test that it's only available in the start compartment. note print() includes fflush() * build(xsnap): don't set mxDebug in release builds fixes #2216 only tested on lin, not mac nor win * build(xsnap): build GOAL=debug too * fix(xsnap): don't swallow error message * feat(xsnap): return data from xsnap.evaluate() Using the .result property of a mutable object rather than the resolution of a promise is a little awkward, but it seems to work. * chore(xs-vat-worker): prune obsolete dependencies * build(xs-vat-worker): moddable submodule is obsolete * style(xs-vat-worker): use canonical @Agoric style * feat(xs-vat-worker): TextDecoder, HandledPromise before lockdown * refactor(SwingSet): unify vat-worker filenames fixes #2202 * feat(swingset): xsnap vat manager - build xsnap bootstrap bundles - bytes to tagged array and back - setBundle, importBundle - syscall - delivery success symbol is ok, not deliverDone - Use Tagged type consistently; don't constrain tag to be string. - clean up logging: use parentLog(), trace(), ... - static typing for doProcess: capture dispatch while it's known to be not null - silence parentLog, workerLog for xsnap - no, handleSyscall doesn't return Tagged - inherit stdout, stderr in xsnap - vatid arg on doNotify is no more * fix: crank 1 comment in vat-target.js * fix: supply groupCollapsed etc. in console-shim for SES * fix(xsnap): handle edge cases in sending replies to e, ? * refactor: avoid 2nd round trip to xsnap - manager: prune commandResult - supervisor: factor out "transport" logic as `ManagerPort`, separate from vat-worker `makeWorker()` - ManagerPort.handler provides `{ result?: ArrayBuffer }` idiom based on Promise<Tagged> - testLog uses ManagerPort.send - clean up redundant 'ok' tag in doMessage, doNotify - refactor: tagged -> item for consistency * feat(xsnap worker): pass console log messages to manager - prune 'starting xsnap' log msg (per code review) - handle rejection in ManagerPort.handler * fix(xsnap): build args * refactor(xsnap): fold in what's left of xs-vat-worker - prune obsolete locate.js * chore(xsnap): move lockdown-shim out of src/ to avoid tsc errors move lockdown-shim.js and the rest of the SES bootstrap files from src/ to lib/ to avoid many tsc errors of the form... ``` Error: ../../node_modules/ses/src/error/assert.js(24,20): error TS2304: Cannot find name 'StringablePayload'. ``` * docs(xsnap): document XS handleCommand async idiom * refactor: build XS bundles with Kernel bundles * fix(xsnap worker): update syscall API to use .resolve() * chore(xsnap): provide non-trivial console in start compartment add TODO re other console methods with pointer to #2146
|
notes from chat with @warner ... goals... somewhat conflicting...
This merits further discussion. But it's not clear that there's a next step for me, so I'm removing my assignment. |
|
I think the use of object-inspect should move this into MN-1. |
|
@turadg should we re-open this? well, I guess this issue is about XS, and what bit you is the SwingSet vat console: agoric-sdk/packages/SwingSet/src/supervisors/supervisor-helper.js Lines 158 to 170 in 9cb480c |
|
I think it needs an open issue. Whether you reopen this one or I file a new one, up to you. Acceptance criteria
That could be by making Swingset's console support the console API or by modifying the typedef for the global console. I'd prefer to support the API as much as possible (if even with throwing "not implemented") than to create more special cases. |
|
please open a new one, then, @turadg |
|
👍 #5453 |
What is the Problem Being Solved?
On XS, to date, we have stubbed out the
consoleAPI; for example, in #2145). This API gets exposed to user code, which is an incompatibility risk and such incompatibility risks notoriously lead to vulnerabilities.See also UTF-8 in XS #2118
cc @kriskowal @erights @warner
Description of the Design
goals... somewhat conflicting...
also:
consolethat has at leastnoopmethods for everything in SES VirtualConsole (52e6830).['debug', 'log', 'info', 'warn', 'error']methods for use in local vat managers. Other vat managers seem to do likewise.Security Considerations
Incompatibility risks notoriously lead to vulnerabilities
Are contract writers prepared for
console.clear()to throw? Do we teach them about commit points?Test Plan
?
The text was updated successfully, but these errors were encountered: