Reference external data without UAF

[Marven11]

I'm working on adding QuickJS as an embedded scripting engine for our project, allowing users to define custom HTTP filtering logic like c.requests.raw_uri == "/index.html"

We need to read these HTTP requests in JS, something like njs but expressions are provided externally (maybe from a webui) and we don't want to get taken down by bad expressions. We need to pass references to HTTP requests to QuickJS but users can always store them somewhere else (exceptions/promises/...) and cause UAF.

We use quickjs-ng through rquickjs and my first approach is to mark pointers as optional (RefCell<Option<NonNull<T>>>) so they can be set to None after handling the HTTP request, just like what njs did in ngx_http_qjs_request_finalizer but also cleaning the opaque pointer itself to avoid UAF. But we found that such an approach might be too complex because we need to collect all pointers into an array (RefCell<Vec<Box<dyn Invalidatable>>>) at creation and invalidate them altogether.

We're thinking about providing a clean context on every request. Can we clone or reset the context to clean these pointers and avoid recreating prototypes at the same time?

[bnoordhuis]

we found that such an approach might be too complex because we need to collect all pointers into an array (RefCell<Vec<Box>>) at creation and invalidate them altogether

I don't quite follow. Why is that?

My first hunch is that, instead of storing pointers, you store an identifier with JS_SetOpaque(obj, (void *)(uintptr_t)id), and then use the identifier to look up the corresponding state in a hash map. No match == request expired/completed.

Can we clone or reset the context to clean these pointers and avoid recreating prototypes at the same time?

Not at the moment, and cloning or resetting probably won't be much faster than simply recreating from scratch.