Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin information leaks. The ES6 spec currently does not mitigate this in any way. This CL adds a workaround that's easy for V8: throw whenever an unresolved reference would result in a proxy trap to be fired. I'm landing this so we can move forwards with staging proxies without putting users of --harmony at risk. BUG=chromium:399951 LOG=n Review URL: https://codereview.chromium.org/1529303003 Cr-Commit-Position: refs/heads/master@{#32949}
2015-12-17 06:37:16 -08:00 · 2015-12-17 06:37:16 -08:00 · 01b8e7c7f6
commit 01b8e7c7f6
parent 879b21a43a
3 changed files with 22 additions and 0 deletions
--- a/src/messages.h
+++ b/src/messages.h
@ -269,6 +269,7 @@ class CallSite {
  T(ProxyTrapReturnedFalsish, "'%' on proxy: trap returned falsish")           \
  T(ProxyTrapReturnedFalsishFor,                                               \
    "'%' on proxy: trap returned falsish for property '%'")                    \
+  T(ReadGlobalReferenceThroughProxy, "Trying to access '%' through proxy")     \
  T(RedefineDisallowed, "Cannot redefine property: %")                         \
  T(RedefineExternalArray,                                                     \
    "Cannot redefine a property of an object with external array elements")    \
--- a/src/objects.cc
+++ b/src/objects.cc
@ -828,6 +828,13 @@ MaybeHandle<Object> JSProxy::GetProperty(Isolate* isolate,
                                         Handle<Name> name,
                                         Handle<Object> receiver,
                                         LanguageMode language_mode) {
+  if (receiver->IsJSGlobalObject()) {
+    THROW_NEW_ERROR(
+        isolate,
+        NewTypeError(MessageTemplate::kReadGlobalReferenceThroughProxy, name),
+        Object);
+  }
+
  STACK_CHECK(MaybeHandle<Object>());
  Handle<Name> trap_name = isolate->factory()->get_string();
  // 1. Assert: IsPropertyKey(P) is true.
--- a/test/mjsunit/harmony/proxies-global-reference.js
+++ b/test/mjsunit/harmony/proxies-global-reference.js
@ -0,0 +1,14 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-proxies
+
+var failing_proxy = new Proxy({}, new Proxy({}, {
+  get() { throw "No trap should fire" }}));
+
+Object.setPrototypeOf(Object.prototype, failing_proxy);
+assertThrows(()=>a, TypeError);
+
+Object.setPrototypeOf(this, failing_proxy);
+assertThrows(()=>a, TypeError);