New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need to remove all primordials not on whitelist #26

Closed
erights opened this Issue Jan 13, 2019 · 1 comment

Comments

Projects
None yet
1 participant
@erights
Copy link
Contributor

erights commented Jan 13, 2019

This leaves known security breaking non-standard builtins available. For example, on https://rawgit.com/Agoric/SES/master/demo/ the test logs of

function*() {
  const gopn = Object.getOwnPropertyNames;
  log(gopn(Error));
  log(gopn(RegExp));
}

show that v8's non-standard Error.captureStackTrace remains, as do the Appendix B RegExp statics. Both of these are known unsafe and omitted from both the normative standard and the SES whitelist for this reason. They must not be available to confined code, but still are.

@erights

This comment has been minimized.

Copy link
Contributor Author

erights commented Jan 25, 2019

This is in progress on the whitelist-2 branch. Noting here that I've made comments on the commit at 002c13f#diff-f3829507cd86aaaefe64616611e0e3c1R142 it lieu of PR comments, since this has not yet turned into a PR.

@erights erights added the 1.0-blocker label Feb 6, 2019

@warner warner closed this in 5b6401c Feb 6, 2019

warner added a commit that referenced this issue Feb 9, 2019

release 0.3.0: improves security and functionality
This fixes all known confinement leaks:

* We now freeze AsyncGeneratorFunction and AsyncFunction, the last of the
  "anonymous" intrinsics (which are reachable by syntax but not simple
  property lookup). In the previous release, attacker code could modify their
  behavior (which defender code might have been relying upon) or use them as
  a communication channel. (#3, #41)
* We now remove all unknown properties from the global object, using a
  special list of ones that are safe to expose. This protects us from
  surprising platform-specific objects, or newly-added standard JS objects
  that have not yet been examined for safety. The 'Intl' object is currently
  removed by this check (and `intlMode: "allow"` has been removed), but may
  be brought back in a future release. (#26)
* RegExp.prototype.compile is removed unconditionally (even if regexpMode:
  "allow" is set), because it violates the semantics of Object.freeze

It also improves usability:

* Uncaught exceptions in Node.js are now rendered correctly when the
  `errorStackMode: "allow"` option is enabled. In the previous release, such
  exceptions were always displayed as "undefined", which was particularly
  unhelpful. If your program is abruptly exiting with "undefined", try
  turning this option on while you're debugging. But don't leave it on,
  because it probably enables a confinement breach.
* SES is an ES6 module, but should now be importable with `require()` by
  other code which is unaware of ES6 modules, because it now uses the `esm`
  module internally. (#32)
* `console.log` is now available within the confined code, if the
  `consoleMode: "allow"` option is enabled. If this is disabled,
  `console.log()` will throw a `TypeError` (since `console` is undefined, it
  has no `log` property). Many other `console` methods (but not all) are
  exposed too. (#35)

SES now requires Node.js version 10 or later.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment