Skip to content
Permalink
Browse files Browse the repository at this point in the history
[CVE-2020-1911] Look up HostObject computed properties on the right o…
…bject in the prototype chain.

Summary:
The change in the hermes repository fixes the security vulnerability
CVE-2020-1911.  This vulnerability only affects applications which
allow evaluation of uncontrolled, untrusted JavaScript code not
shipped with the app, so React Native apps will generally not be affected.

This revision includes a test for the bug.  The test is generic JSI
code, so it is included in the hermes and react-native repositories.

Changelog: [Internal]

Reviewed By: tmikov

Differential Revision: D23322992

fbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a
  • Loading branch information
mhorowitz authored and bigfootjon committed Aug 26, 2020
1 parent de05c8c commit fe52854
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
17 changes: 17 additions & 0 deletions API/jsi/jsi/test/testlib.cpp
Expand Up @@ -394,6 +394,23 @@ TEST_P(JSITest, HostObjectTest) {
.getBool());
}

TEST_P(JSITest, HostObjectProtoTest) {
class ProtoHostObject : public HostObject {
Value get(Runtime& rt, const PropNameID&) override {
return String::createFromAscii(rt, "phoprop");
}
};

rt.global().setProperty(
rt,
"pho",
Object::createFromHostObject(rt, std::make_shared<ProtoHostObject>()));

EXPECT_EQ(
eval("({__proto__: pho})[Symbol.toPrimitive]").getString(rt).utf8(rt),
"phoprop");
}

TEST_P(JSITest, ArrayTest) {
eval("x = {1:2, '3':4, 5:'six', 'seven':['eight', 'nine']}");

Expand Down
2 changes: 1 addition & 1 deletion lib/VM/JSObject.cpp
Expand Up @@ -1173,7 +1173,7 @@ CallResult<PseudoHandle<>> JSObject::getComputedWithReceiver_RJS(
} else if (desc.flags.hostObject) {
SymbolID id{};
LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);
auto propRes = vmcast<HostObject>(selfHandle.get())->get(id);
auto propRes = vmcast<HostObject>(propObj.get())->get(id);
if (propRes == ExecutionStatus::EXCEPTION)
return ExecutionStatus::EXCEPTION;
return createPseudoHandle(*propRes);
Expand Down

0 comments on commit fe52854

Please sign in to comment.