Lint to disallow SES polymorphic calls #827
Conversation
|
here's one example. should we be concerned that this could be dangerous? |
|
added a "preview" of the call to the lint message |
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
ab9f4d3
to
cfc4709
Compare
|
@kumavis I did a rebase and force-pushed with extra commits to cut the warnings down by half. I’m shooting to have most of them addressed with another commit or so today. One of the interesting ones is using the compartment API itself as intrinsics, which will take some refactoring. |
|
@kumavis Added commits to eliminate the warnings. This is ready for broader review and I’ll look into rebasing and cleanup tomorrow. |
kriskowal
changed the title
| let propertyHint | ||
| if (object.type === 'Identifier') { | ||
| objectHint = object.name | ||
| } else if (object.type === 'MemberExpression') { |
There was a problem hiding this comment.
This certainly did produce lint errors for a[b]() syntax.
There was a problem hiding this comment.
yes same member expression but with computed flag set to true
|
It does catch that, indeed.
…On Sun, Jul 18, 2021 at 9:00 PM Jack Works ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In packages/eslint-plugin/lib/rules/no-polymorphic-call.js
<#827 (comment)>:
> + return
+ }
+ const reportHint = prepareMemberExpressionHint(node.callee)
+ context.report(node, `Polymorphic call: "${reportHint}". May be vulnerable to corruption or trap`)
+ }
+ }
+ },
+}
+
+function prepareMemberExpressionHint (node) {
+ const { object, property, computed } = node
+ let objectHint
+ let propertyHint
+ if (object.type === 'Identifier') {
+ objectHint = object.name
+ } else if (object.type === 'MemberExpression') {
Does it cover a[b]?
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#827 (review)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAOXBQ7Q2LPQSZKT2VWFXLTYOPNZANCNFSM5ADJ3JBQ>
.
|
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
c58c520
to
82c38bf
Compare
| @@ -0,0 +1,72 @@ | |||
| /// <reference types="ses"> | |||
There was a problem hiding this comment.
The Compartment.evaluate implementation needed to be extracted into a stand-alone module so it could be used from both compartment-shim.js and module-instance.js without dynamic dispatch. The internals communicate purely through their captured private fields.
There was a problem hiding this comment.
I (MarkM) did not review this refactoring.
| baseConsole[name](...args); | ||
| } | ||
| }; | ||
| return [name, freeze(method)]; | ||
| }); | ||
| const filteringConsole = fromEntries(methods); | ||
| return freeze(filteringConsole); | ||
| return /** @type {VirtualConsole} */ (freeze(filteringConsole)); |
There was a problem hiding this comment.
This is an unrelated change that was necessary to appease the IDE type-checker, but not our TSC lint CI job.
| @@ -18,7 +18,9 @@ if (typeof abandon === 'function') { | |||
| /** @param {Error} reason */ | |||
| raise = reason => { | |||
| // Check `console` each time `raise` is called. | |||
| // eslint-disable-next-line no-restricted-globals | |||
There was a problem hiding this comment.
@erights and I expressly decided that lazy binding console and assert and dynamic dispatch on their methods were the desired, albeit exceptional, behavior. The reason being that SES changes these on lockdown. The machinery to have lockdown incidentally change some shared module state is far too complex to warrant.
| continue; | ||
| } | ||
| intrinsics[namePrototype] = intrinsicPrototype; | ||
| const addIntrinsics = newIntrinsics => { |
There was a problem hiding this comment.
The change below here is merely changing the intrinsicsCollector to a bag of closure functions instead of using concise methods. They were already used as bare closure functions, but this needed to be more explicit to avoid dynamic dispatch.
This is a case where dynamic dispatch would have been just as safe, but it was as easy to refactor this way and avoid lint-rule comment noise.
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
82c38bf
to
fef1e82
Compare
|
I think we made a mistake prior to this PR that should be fixed before this PR: commons.js should not be capturing and reexporting things like Thus, these repair modules should do their own initial capture of these objects and not reexport them. But commons.js, capturing the originals and reexporting them, keeps them accessible rather than safely encapsulated. |
There was a problem hiding this comment.
At #827 (comment) I write:
I think we made a mistake prior to this PR that should be fixed before this PR: commons.js should not be capturing and reexporting things like
Errorwhich, if captured this early, would be the originalErrorconstructor that is supposed to be completely inaccessible after repair, even in the start compartment. The originalErrorconstructor should be completely encapsulated within the repairedErrorconstructors.Thus, these repair modules should do their own initial capture of these objects and not reexport them. But commons.js, capturing the originals and reexporting them, keeps them accessible rather than safely encapsulated.
I'm posting that as a "request changes" so it is repaired before this PR proceeds.
|
Just eyeballing commons.js quickly, the violations that jump out at me:
We should either remove all four from commons.js, or we should follow the Note that The thread above already alerts us to the issue of the non-standard powerful SES-shim globals Upcoming dangerous standard globals for us to eventually incorporate: So, for now, unless I missed something, just exporting the original |
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
fef1e82
to
67d0117
Compare
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
67d0117
to
b1123b9
Compare
There was a problem hiding this comment.
The FERAL_ naming only works if it occurs rarely enough to set off alarm bells when you see it. Most of the occurrences here are just throw FERAL_ERROR which probably should have been throw TypeError anyway as that is the more usual choice. With those fixed, the problem is much reduced, and the phrase will continue to alarm.
packages/ses/index.js
Outdated
| @@ -12,7 +12,7 @@ | |||
| // See the License for the specific language governing permissions and | |||
| // limitations under the License. | |||
|
|
|||
| import { globalThis, Error, assign } from './src/commons.js'; | |||
| import { globalThis, FERAL_ERROR, assign } from './src/commons.js'; | |||
There was a problem hiding this comment.
See note below
| import { globalThis, FERAL_ERROR, assign } from './src/commons.js'; | |
| import { globalThis, TypeError, assign } from './src/commons.js'; |
| @@ -0,0 +1,72 @@ | |||
| /// <reference types="ses"> | |||
There was a problem hiding this comment.
I (MarkM) did not review this refactoring.
| @@ -194,7 +196,7 @@ export default function enablePropertyOverrides( | |||
| break; | |||
| } | |||
| default: { | |||
| throw new Error(`unrecognized overrideTaming ${overrideTaming}`); | |||
| throw new FERAL_ERROR(`unrecognized overrideTaming ${overrideTaming}`); | |||
packages/ses/src/module-link.js
Outdated
| @@ -163,7 +163,7 @@ export const instantiate = ( | |||
| resolvedImports, | |||
| ); | |||
| } else { | |||
| throw new Error( | |||
| throw new FERAL_ERROR( | |||
packages/ses/src/scope-handler.js
Outdated
| console.warn( | ||
| `getOwnPropertyDescriptor trap on scopeHandler for ${quotedProp}`, | ||
| new Error().stack, | ||
| new FERAL_ERROR().stack, |
There was a problem hiding this comment.
Any error would do equally well here.
| new FERAL_ERROR().stack, | |
| new TypeError().stack, |
| @@ -39,7 +40,7 @@ const nonLocaleCompare = tamedMethods.localeCompare; | |||
|
|
|||
| export default function tameLocaleMethods(intrinsics, localeTaming = 'safe') { | |||
| if (localeTaming !== 'safe' && localeTaming !== 'unsafe') { | |||
| throw new Error(`unrecognized dateTaming ${localeTaming}`); | |||
| throw new FERAL_ERROR(`unrecognized dateTaming ${localeTaming}`); | |||
| Error, | ||
| RegExp as OriginalRegExp, | ||
| FERAL_ERROR, | ||
| FERAL_REG_EXP, |
There was a problem hiding this comment.
This is the one occurrence I expected
| @@ -114,7 +116,9 @@ export default function whitelistIntrinsics( | |||
| } | |||
|
|
|||
| // We can't clean [[prototype]], therefore abort. | |||
| throw new Error(`Unexpected intrinsic ${path}.__proto__ at ${protoName}`); | |||
| throw new FERAL_ERROR( | |||
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
7e63539
to
52edbbc
Compare
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
52edbbc
to
4c33308
Compare
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
4c33308
to
0c72ad6
Compare
|
All your feedback on minimizing invocations of |
packages/ses/src/commons.js
Outdated
| * isError tests whether an object descends from the intrinsic Error | ||
| * constructor. |
There was a problem hiding this comment.
I don't know what "descends" means here.
| * isError tests whether an object descends from the intrinsic Error | |
| * constructor. | |
| * isError tests whether an object inherits from the intrinsic | |
| * `Error.prototype`. |
packages/ses/src/commons.js
Outdated
| * signal for reviewers that we are handling an object with excess authority | ||
| * that we are carefully hiding from client code, like stack trace inspection. |
There was a problem hiding this comment.
| * signal for reviewers that we are handling an object with excess authority | |
| * that we are carefully hiding from client code, like stack trace inspection. | |
| * signal for reviewers that we are handling an object with excess authority, | |
| * like stack trace inspection, that we are carefully hiding from client code. |
avoids a parsing ambiguity.
| @@ -214,21 +226,21 @@ const tagError = (err, optErrorName = err.name) => { | |||
| */ | |||
| const makeError = ( | |||
| optDetails = redactedDetails`Assert failed`, | |||
| ErrorConstructor = Error, | |||
| ErrorConstructor = globalThis.Error, | |||
| @@ -39,7 +39,7 @@ const nonLocaleCompare = tamedMethods.localeCompare; | |||
|
|
|||
| export default function tameLocaleMethods(intrinsics, localeTaming = 'safe') { | |||
| if (localeTaming !== 'safe' && localeTaming !== 'unsafe') { | |||
| throw new Error(`unrecognized dateTaming ${localeTaming}`); | |||
| throw new TypeError(`unrecognized dateTaming ${localeTaming}`); | |||
There was a problem hiding this comment.
| throw new TypeError(`unrecognized dateTaming ${localeTaming}`); | |
| throw new TypeError(`unrecognized localeTaming ${localeTaming}`); |
I'm sure this was my mistake, but is a good time to fix it.
| @@ -39,7 +39,7 @@ const nonLocaleCompare = tamedMethods.localeCompare; | |||
|
|
|||
| export default function tameLocaleMethods(intrinsics, localeTaming = 'safe') { | |||
There was a problem hiding this comment.
We still need a special case for Number.toLocaleString, to avoid the same bug that XS had. Yes?
kriskowal
force-pushed
the
eslint-plugin/no-polymorphic-call
branch
from
0c72ad6
to
0273165
Compare
[edit kriskowal 2021-07-15]
This adds an eslint plugin that @kumavis authored for us to help us validate that SES shim captures all of the behavior of intrinsics that it needs during initialization in order to provide a faithful emulation of a native SES implementation, to the extent that’s possible and given that SES runs before any intrinsic is altered away from specified behavior.
Then follows changes by me to get SES shim to obey the lint rule.
@erights and I concluded that console and assert should in general be bound late and their methods dispatched dynamically.
Some compartment code moved around to prevent alteration of the Compartment prototype from affecting the behavior of “native” compartment methods.