[vulnerability][acl] ACL is skipped for globals defined via defineProperty() and alike

[t2ym]

[vulnerability][acl] ACL is skipped for globals defined via defineProperty() and alike

Root Causes

• Detected object name for the global object is checked against strings "self" and "window" although name is a Set instance for {"window"}
• Extended global objects like Object.create(window) are not identified as global namespace objects

Reproducible Code

Object.assign(window, { Class: class Class {} });
new Class();

Object.defineProperty(window, 'DefinePropertyGlobalClass', 
{ value: class DefinePropertyGlobalClass {} });
new DefinePropertyGlobalClass();

let C = class DefinePropertyGetterGlobalClass {};
Object.defineProperty(window, 'DefinePropertyGetterGlobalClass', 
{ get: function () { return C; } });
new DefinePropertyGetterGlobalClass();

Object.defineProperty(window, 'DefinePropertyGetterVolatileGlobalClass', 
{ get: function () { return class DefinePropertyGetterVolatileGlobalClass { }; } });
new DefinePropertyGetterVolatileGlobalClass();

Object.defineProperty(window, 'DefinePropertyGetterReflectGetGlobalClass',
{ get: function () { return class DefinePropertyGetterReflectGetGlobalClass { }; } });
new (Reflect.get(window, 'DefinePropertyGetterReflectGetGlobalClass'))();

Object.defineProperty(window, 'DefinePropertyGetterReflectGetExtendedGlobalClass',
{ get: function () { return class DefinePropertyGetterReflectGetExtendedGlobalClass { }; }});
new (Reflect.get(Object.create(window),
'DefinePropertyGetterReflectGetExtendedGlobalClass'))();

Object.defineProperty(window, 'DefinePropertyGetterReflectGetExtendedGlobalClassWithReceiver', 
{ get: function () { return class DefinePropertyGetterReflectGetExtendedGlobalClassWithReceiver { }; }});
new (Reflect.get(Object.create(window), 'DefinePropertyGetterReflectGetExtendedGlobalClassWithReceiver', window))();

Object.defineProperties(window, { 'DefinePropertiesGlobalClass': { value: class DefinePropertiesGlobalClass {} } });
new DefinePropertiesGlobalClass();

let C2 = class DefinePropertiesGetterGlobalClass { };
Object.defineProperties(window, { 'DefinePropertiesGetterGlobalClass': 
{ get: function () { return C2; }} });
new DefinePropertiesGetterGlobalClass();

Object.defineProperties(window, { 'DefinePropertiesGetterVolatileGlobalClass': 
{ get: function () { return class DefinePropertiesGetterVolatileGlobalClass { }; } } });
new DefinePropertiesGetterVolatileGlobalClass();

Reflect.set(window, 'ReflectSetGlobalClass', class ReflectSetGlobalClass {});
new ReflectSetGlobalClass();

Fix Summary

• Check whether normalizedThisArg === _global instead of switch (name) { case 'window' }
• Check whether normalizedThisArg instanceof _global.constructor for Reflect.get(Object.create(window), 'prop'
• Check whether receiver === _global for Reflect.get(Object.create(window),'prop',window)
• Store the name of the global variable in trackResultAsGlobal for window.prop and Reflect.get(window, 'prop')
  • The initial value of trackResultAsGlobal is set as S_GLOBAL Symbol to mean the value is not set
• targetNormalizer for Reflect.get() is changed from 'r01' to r01v so that the operation can be detected as potential global variable access

Notes

• In accessing global functions/classes, the target objects are first read and then invoked
• Getter functions can return an object with unique identity for each call via a class expression