Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syntax based anonymous intrinsics are subject to transpiler modifications #902

Open
mhofman opened this issue Sep 20, 2021 · 3 comments
Open

Syntax based anonymous intrinsics are subject to transpiler modifications #902

mhofman opened this issue Sep 20, 2021 · 3 comments
Assignees
@kriskowal @mhofman
Labels
confinement Pertaining to confinement of guest programs. debugging support kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024 ses

Comments

@mhofman
Copy link
Contributor

mhofman commented Sep 20, 2021

Currently get-anonymous-intrinsics.js, uses direct syntax to grab some anonymous intrinsics. This is susceptible to transpilers which rewrite the SES shim's code to replace those syntax that didn't exists in previous JavaScript versions. If the actual target in which the transpiled code runs actually has those intrinsics implemented, the SES shim won't grab and harden them.

While there is no way to protect against a malicious transpiler, we should detect and error early in the presence of transpilers that were mistakenly applied to the SES shim. One way to do this is to also eval the syntax used to reach the intrinsic and compare the 2 values.
@erights erights added debugging support confinement Pertaining to confinement of guest programs. labels Sep 20, 2021
@mhofman
Copy link
Contributor Author

mhofman commented Sep 20, 2021
edited
Loading

@kumavis I heard you may have looked into this before but haven't found any open issues.

@mhofman mhofman mentioned this issue Sep 21, 2021
Open
@mhofman mhofman added the ses label Feb 8, 2022
@kriskowal kriskowal added the kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024 label Jan 10, 2024
@kriskowal
Copy link
Member

We have found that there’s a tension between this need and the need to support lockdown in a no-unsafe-eval environment. We may need a lockdown option to balance the two needs.

@kumavis
Copy link
Member

kumavis commented Jan 19, 2024

kumavis I heard you may have looked into this before but haven't found any open issues.

I've encounter the transpiling issue a few times (via babel). I do think we could add some detection for transpiling for the common cases (eg async iterators i think?). and throw an error.

We have found that there’s a tension between this need and the need to support lockdown in a no-unsafe-eval environment

fyi: metamask is a no unsafe eval as part of our CSP

@mhofman mhofman mentioned this issue Apr 18, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kriskowal kriskowal

@mhofman mhofman

Labels
confinement Pertaining to confinement of guest programs. debugging support kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024 ses
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kriskowal @mhofman @erights @kumavis