Skip to content
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.

ObjectToSourceLeaksPrivates

Jump to bottom
Kevin Reid edited this page Apr 16, 2015 · 1 revision

(legacy summary: serializing an object can expose private state) (legacy labels: Attack-Vector)

Object.toSource and uneval allow access to private fields

Effect

Untrusted code that can reference an object can get access to private fields by s erializing it using uneval and then parsing the resulting string.

Background

Object.toSource and uneval are non-standard members of Object.

toSource is defined in spidermonkey's JS1.3+ interpreters and provides a mechanism similar to Python's __repr__ method to allow object's to serialize themselves to code that can be evaled, so (new Date(2000, 0, 1)).toSource() === '(new Date(946713600000))'.

uneval does the same.

The act of serializing an object can expose it's private state. Serializing a function using either of these methods does not expose private variable state as evidenced by

  var ctr = (function (idx) { return function () { return ++idx; }; })(0);
  ctr();
  ctr();
  ctr.toSource();

Assumptions

uneval and Object.toSource are accessible to untrusted code.

Versions

Firefox and possibly others.

Example

// Untrusted code
function untrusted(o) {
  // untrusted need not attempt to access private_ directly
  var privateValue = o.toSource().match(/private_:\s*(\d+)/)[1] * 1;
  alert('private value is ' + privateValue);
}

var o = { private_: 4 }
untrusted(o);
Clone this wiki locally