New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Date.now() can be accessed despite it being disabled #27

Closed
matt- opened this Issue Jan 14, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@matt-
Copy link

matt- commented Jan 14, 2019

att @warner

@warner

This comment has been minimized.

Copy link
Member

warner commented Jan 14, 2019

Matt described a security bug to us recently.. we have a fix ready to push (along with a description of the issue) once we've finished coordinating with other users, probably tomorrow.

@warner warner added the security bug label Jan 14, 2019

@warner

This comment has been minimized.

Copy link
Member

warner commented Jan 15, 2019

SES tames Date.now() and the zero-argument new Date() constructor to
prevent access to non-determinism (and thus reading from side-channels).
However the previous taming mechanism could be bypassed by creating a new
Realm or SESRealm from within the confined one. This patch closes that hole.
Thanks to Matt Austin (@matt-) for the catch.

This also changes the API. Tamed SES realms (in which Date.now() returns
NaN) are the default, obtained with SES.makeSESRootRealm(). Permissive SES
realms (where Date.now() works normally) can be created with
SES.makeSESRootRealm({dateNowMode: "allow"}).

@warner warner closed this in 41d98a0 Jan 15, 2019

@warner warner changed the title undisclosed security bug Date.now() can be accessed despite it being disabled Jan 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment