Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it harder to forge Throw tokens #797

Merged
merged 5 commits into from
Mar 3, 2022
Merged

Make it harder to forge Throw tokens #797

merged 5 commits into from
Mar 3, 2022

Conversation

dherman
Copy link
Collaborator

@dherman dherman commented Sep 18, 2021

This PR makes it harder (though not technically impossible) to forge Throw tokens. We already have safety mechanisms in place in case of forged Throw tokens, leading to well-defined panics (as opposed to something unsafe, like undefined behavior). But this should help prevent programs from accidentally saving and reusing a Throw token.

There is also a test case that still does show how it's technically possible to forge a token, and demonstrates that it still has predictable behavior.

An alternative that would be even safer would be to place a lifetime on a Throw token, making it impossible to store them in long-lived storage. But this would leak into the type signatures of e.g. NeonResult and APIs that use it, which would add a lot of complexity to Neon for little value. The panic is for a rare enough case that the extra type safety wouldn't be worth it IMO.

One more change I want to make in this PR is to add !Send phantom data to the Throw type so that it can't be shared outside of its thread.

kjvalencik
kjvalencik reviewed Sep 20, 2021
View reviewed changes
src/result/mod.rs Outdated Show resolved Hide resolved
test/dynamic/native/src/js/functions.rs Outdated Show resolved Hide resolved
@dherman
Make it harder to forge Throw tokens
73562af 
- added a private field to the type
- changed the test case that forges a `Throw` token to be much more devious (since it's so much harder to forge now)
@dherman
Kill unnecessary turbofish, and fix a doc test
eeeaf06
@dherman
Fix rustfmt errors and doctest issue with legacy/N-API incompatible c…
9c054af 
…hange.
@dherman
Address review suggestions:
9107569 
- use private phantom !Send+!Sync data to make Throw even slightly more secure
- use a crate-private constructor method to clean up construction code throughout the crate
- simpler logic for forge test
@dherman dherman requested a review from kjvalencik November 17, 2021 17:15
kjvalencik
kjvalencik approved these changes Nov 17, 2021
View reviewed changes
src/result/mod.rs Outdated Show resolved Hide resolved
@dherman dherman changed the base branch from main to next/0.10 March 3, 2022 23:22
@dherman dherman merged commit 79c983c into next/0.10 Mar 3, 2022
@dherman dherman deleted the unforgeable-throw branch March 3, 2022 23:33
@dherman dherman mentioned this pull request Mar 3, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kjvalencik kjvalencik kjvalencik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dherman @kjvalencik