From feb34b429c6fb525a364e603f5e12759b2204527 Mon Sep 17 00:00:00 2001 From: Kitson Kelly Date: Fri, 13 Mar 2020 13:20:22 +1100 Subject: [PATCH 1/5] Remove Object.prototype.__proto__ --- cli/js/runtime_main.ts | 4 ++++ cli/js/runtime_worker.ts | 4 ++++ cli/tests/integration_tests.rs | 5 +++++ cli/tests/proto_exploit.js | 5 +++++ cli/tests/proto_exploit.js.out | 2 ++ 5 files changed, 20 insertions(+) create mode 100644 cli/tests/proto_exploit.js create mode 100644 cli/tests/proto_exploit.js.out diff --git a/cli/js/runtime_main.ts b/cli/js/runtime_main.ts index a59e7513bfb7fd..55b47db163c6a8 100644 --- a/cli/js/runtime_main.ts +++ b/cli/js/runtime_main.ts @@ -49,6 +49,10 @@ export function bootstrapMainRuntime(): void { } log("bootstrapMainRuntime"); hasBootstrapped = true; + // Closes a denial of service vulnerability. This makes Deno intentionally + // non-compliant with ECMA-262 Annex B.2.2.1. + // See: https://www.ecma-international.org/ecma-262/6.0/#sec-object.prototype.__proto__ + delete (Object.prototype as any).__proto__; Object.defineProperties(globalThis, windowOrWorkerGlobalScopeMethods); Object.defineProperties(globalThis, windowOrWorkerGlobalScopeProperties); Object.defineProperties(globalThis, eventTargetProperties); diff --git a/cli/js/runtime_worker.ts b/cli/js/runtime_worker.ts index 3468e810997f31..fb658b08dd12a0 100644 --- a/cli/js/runtime_worker.ts +++ b/cli/js/runtime_worker.ts @@ -100,6 +100,10 @@ export function bootstrapWorkerRuntime(name: string): void { } log("bootstrapWorkerRuntime"); hasBootstrapped = true; + // Closes a denial of service vulnerability. This makes Deno intentionally + // non-compliant with ECMA-262 Annex B.2.2.1. + // See: https://www.ecma-international.org/ecma-262/6.0/#sec-object.prototype.__proto__ + delete (Object.prototype as any).__proto__; Object.defineProperties(globalThis, windowOrWorkerGlobalScopeMethods); Object.defineProperties(globalThis, windowOrWorkerGlobalScopeProperties); Object.defineProperties(globalThis, workerRuntimeGlobalProperties); diff --git a/cli/tests/integration_tests.rs b/cli/tests/integration_tests.rs index ce08c6b61a2fe2..e20b8da05c35dd 100644 --- a/cli/tests/integration_tests.rs +++ b/cli/tests/integration_tests.rs @@ -1426,6 +1426,11 @@ itest!(fix_js_imports { output: "fix_js_imports.ts.out", }); +itest!(proto_exploit { + args: "run proto_exploit.js", + output: "proto_exploit.js.out", +}); + #[test] fn cafile_fetch() { use deno::http_cache::url_to_filename; diff --git a/cli/tests/proto_exploit.js b/cli/tests/proto_exploit.js new file mode 100644 index 00000000000000..8bd22cfe532c22 --- /dev/null +++ b/cli/tests/proto_exploit.js @@ -0,0 +1,5 @@ +const payload = `{ "__proto__": null }`; +const obj = {}; +console.log("Before: " + obj); +Object.assign(obj, JSON.parse(payload)); +console.log("After: " + obj); diff --git a/cli/tests/proto_exploit.js.out b/cli/tests/proto_exploit.js.out new file mode 100644 index 00000000000000..fde881dc558cb0 --- /dev/null +++ b/cli/tests/proto_exploit.js.out @@ -0,0 +1,2 @@ +Before: [object Object] +After: [object Object] From 78d37d7c8bff459b4755017993d3c14cbfc3dc27 Mon Sep 17 00:00:00 2001 From: Kitson Kelly Date: Fri, 13 Mar 2020 14:48:56 +1100 Subject: [PATCH 2/5] linting --- cli/js/runtime_main.ts | 1 + cli/js/runtime_worker.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/cli/js/runtime_main.ts b/cli/js/runtime_main.ts index 55b47db163c6a8..30e511503c32eb 100644 --- a/cli/js/runtime_main.ts +++ b/cli/js/runtime_main.ts @@ -52,6 +52,7 @@ export function bootstrapMainRuntime(): void { // Closes a denial of service vulnerability. This makes Deno intentionally // non-compliant with ECMA-262 Annex B.2.2.1. // See: https://www.ecma-international.org/ecma-262/6.0/#sec-object.prototype.__proto__ + // eslint-disable-next-line @typescript-eslint/no-explicit-any delete (Object.prototype as any).__proto__; Object.defineProperties(globalThis, windowOrWorkerGlobalScopeMethods); Object.defineProperties(globalThis, windowOrWorkerGlobalScopeProperties); diff --git a/cli/js/runtime_worker.ts b/cli/js/runtime_worker.ts index fb658b08dd12a0..9855aaa6bacaf2 100644 --- a/cli/js/runtime_worker.ts +++ b/cli/js/runtime_worker.ts @@ -103,6 +103,7 @@ export function bootstrapWorkerRuntime(name: string): void { // Closes a denial of service vulnerability. This makes Deno intentionally // non-compliant with ECMA-262 Annex B.2.2.1. // See: https://www.ecma-international.org/ecma-262/6.0/#sec-object.prototype.__proto__ + // eslint-disable-next-line @typescript-eslint/no-explicit-any delete (Object.prototype as any).__proto__; Object.defineProperties(globalThis, windowOrWorkerGlobalScopeMethods); Object.defineProperties(globalThis, windowOrWorkerGlobalScopeProperties); From d48a084f2186da8fd50a14cd8809761dca8405e0 Mon Sep 17 00:00:00 2001 From: Kitson Kelly Date: Fri, 13 Mar 2020 20:52:44 +1100 Subject: [PATCH 3/5] Improvements based on feedback --- cli/js/runtime_main.ts | 5 ----- cli/js/runtime_worker.ts | 5 ----- deno_typescript/lib.rs | 7 ++++++- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/cli/js/runtime_main.ts b/cli/js/runtime_main.ts index 30e511503c32eb..a59e7513bfb7fd 100644 --- a/cli/js/runtime_main.ts +++ b/cli/js/runtime_main.ts @@ -49,11 +49,6 @@ export function bootstrapMainRuntime(): void { } log("bootstrapMainRuntime"); hasBootstrapped = true; - // Closes a denial of service vulnerability. This makes Deno intentionally - // non-compliant with ECMA-262 Annex B.2.2.1. - // See: https://www.ecma-international.org/ecma-262/6.0/#sec-object.prototype.__proto__ - // eslint-disable-next-line @typescript-eslint/no-explicit-any - delete (Object.prototype as any).__proto__; Object.defineProperties(globalThis, windowOrWorkerGlobalScopeMethods); Object.defineProperties(globalThis, windowOrWorkerGlobalScopeProperties); Object.defineProperties(globalThis, eventTargetProperties); diff --git a/cli/js/runtime_worker.ts b/cli/js/runtime_worker.ts index 9855aaa6bacaf2..3468e810997f31 100644 --- a/cli/js/runtime_worker.ts +++ b/cli/js/runtime_worker.ts @@ -100,11 +100,6 @@ export function bootstrapWorkerRuntime(name: string): void { } log("bootstrapWorkerRuntime"); hasBootstrapped = true; - // Closes a denial of service vulnerability. This makes Deno intentionally - // non-compliant with ECMA-262 Annex B.2.2.1. - // See: https://www.ecma-international.org/ecma-262/6.0/#sec-object.prototype.__proto__ - // eslint-disable-next-line @typescript-eslint/no-explicit-any - delete (Object.prototype as any).__proto__; Object.defineProperties(globalThis, windowOrWorkerGlobalScopeMethods); Object.defineProperties(globalThis, windowOrWorkerGlobalScopeProperties); Object.defineProperties(globalThis, workerRuntimeGlobalProperties); diff --git a/deno_typescript/lib.rs b/deno_typescript/lib.rs index d88932eebdaa7e..7a7fb361b210c5 100644 --- a/deno_typescript/lib.rs +++ b/deno_typescript/lib.rs @@ -204,7 +204,12 @@ pub fn mksnapshot_bundle( js_check( isolate.execute(&bundle_filename.to_string_lossy(), bundle_source_code), ); - let script = &format!("__instantiate(\"{}\");", main_module_name); + // instantiate the bundle and delete __proto__ for security reasons + // this is intentionally not compliant with ECMA-262 Annex B.2.2.1. + let script = &format!( + "__instantiate(\"{}\");\n\ndelete Object.prototype.__proto__;", + main_module_name + ); js_check(isolate.execute("anon", script)); write_snapshot(isolate, snapshot_filename)?; Ok(()) From 1cbe03feef9f5a84dc6eff86bf8267a3b7edcc75 Mon Sep 17 00:00:00 2001 From: Kitson Kelly Date: Sun, 15 Mar 2020 06:40:47 +1100 Subject: [PATCH 4/5] More updates based on feedback --- cli/js/compiler.ts | 6 ++++++ cli/js/main.ts | 6 ++++++ deno_typescript/lib.rs | 5 +---- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/cli/js/compiler.ts b/cli/js/compiler.ts index ed156ef0ab3810..25f5cd17c04cd3 100644 --- a/cli/js/compiler.ts +++ b/cli/js/compiler.ts @@ -412,6 +412,12 @@ function bootstrapWasmCompilerRuntime(): void { globalThis.onmessage = wasmCompilerOnMessage; } +// Removes the `__proto__` for security reasons. This intentionally makes +// Deno non compliant with ECMA-262 Annex B.2.2.1 +// +// eslint-disable-next-line @typescript-eslint/no-explicit-any +delete (Object.prototype as any).__proto__; + Object.defineProperties(globalThis, { bootstrapWasmCompilerRuntime: { value: bootstrapWasmCompilerRuntime, diff --git a/cli/js/main.ts b/cli/js/main.ts index fbebfefe4247f2..881d3ad4a0f061 100644 --- a/cli/js/main.ts +++ b/cli/js/main.ts @@ -2,6 +2,12 @@ import { bootstrapMainRuntime } from "./runtime_main.ts"; import { bootstrapWorkerRuntime } from "./runtime_worker.ts"; +// Removes the `__proto__` for security reasons. This intentionally makes +// Deno non compliant with ECMA-262 Annex B.2.2.1 +// +// eslint-disable-next-line @typescript-eslint/no-explicit-any +delete (Object.prototype as any).__proto__; + Object.defineProperties(globalThis, { bootstrapMainRuntime: { value: bootstrapMainRuntime, diff --git a/deno_typescript/lib.rs b/deno_typescript/lib.rs index 7a7fb361b210c5..f9bd7995c57a1c 100644 --- a/deno_typescript/lib.rs +++ b/deno_typescript/lib.rs @@ -206,10 +206,7 @@ pub fn mksnapshot_bundle( ); // instantiate the bundle and delete __proto__ for security reasons // this is intentionally not compliant with ECMA-262 Annex B.2.2.1. - let script = &format!( - "__instantiate(\"{}\");\n\ndelete Object.prototype.__proto__;", - main_module_name - ); + let script = &format!("__instantiate(\"{}\");", main_module_name); js_check(isolate.execute("anon", script)); write_snapshot(isolate, snapshot_filename)?; Ok(()) From dc69af8f48805c598dc34c936249df6dc22c05ad Mon Sep 17 00:00:00 2001 From: Kitson Kelly Date: Sun, 15 Mar 2020 19:01:52 +1100 Subject: [PATCH 5/5] Remove stray comment --- deno_typescript/lib.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/deno_typescript/lib.rs b/deno_typescript/lib.rs index f9bd7995c57a1c..d88932eebdaa7e 100644 --- a/deno_typescript/lib.rs +++ b/deno_typescript/lib.rs @@ -204,8 +204,6 @@ pub fn mksnapshot_bundle( js_check( isolate.execute(&bundle_filename.to_string_lossy(), bundle_source_code), ); - // instantiate the bundle and delete __proto__ for security reasons - // this is intentionally not compliant with ECMA-262 Annex B.2.2.1. let script = &format!("__instantiate(\"{}\");", main_module_name); js_check(isolate.execute("anon", script)); write_snapshot(isolate, snapshot_filename)?;