From 01b8e7c7f62fe0fc74552c7d3909777fa50b3447 Mon Sep 17 00:00:00 2001 From: verwaest Date: Thu, 17 Dec 2015 06:37:16 -0800 Subject: [PATCH] Throw TypeError when reading global references through a JSProxy Allowing global references to be read through a proxy results in cross-origin information leaks. The ES6 spec currently does not mitigate this in any way. This CL adds a workaround that's easy for V8: throw whenever an unresolved reference would result in a proxy trap to be fired. I'm landing this so we can move forwards with staging proxies without putting users of --harmony at risk. BUG=chromium:399951 LOG=n Review URL: https://codereview.chromium.org/1529303003 Cr-Commit-Position: refs/heads/master@{#32949} --- src/messages.h | 1 + src/objects.cc | 7 +++++++ test/mjsunit/harmony/proxies-global-reference.js | 14 ++++++++++++++ 3 files changed, 22 insertions(+) create mode 100644 test/mjsunit/harmony/proxies-global-reference.js diff --git a/src/messages.h b/src/messages.h index 5032980895..aea303862f 100644 --- a/src/messages.h +++ b/src/messages.h @@ -269,6 +269,7 @@ class CallSite { T(ProxyTrapReturnedFalsish, "'%' on proxy: trap returned falsish") \ T(ProxyTrapReturnedFalsishFor, \ "'%' on proxy: trap returned falsish for property '%'") \ + T(ReadGlobalReferenceThroughProxy, "Trying to access '%' through proxy") \ T(RedefineDisallowed, "Cannot redefine property: %") \ T(RedefineExternalArray, \ "Cannot redefine a property of an object with external array elements") \ diff --git a/src/objects.cc b/src/objects.cc index 732477cd81..431559d4f3 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -828,6 +828,13 @@ MaybeHandle JSProxy::GetProperty(Isolate* isolate, Handle name, Handle receiver, LanguageMode language_mode) { + if (receiver->IsJSGlobalObject()) { + THROW_NEW_ERROR( + isolate, + NewTypeError(MessageTemplate::kReadGlobalReferenceThroughProxy, name), + Object); + } + STACK_CHECK(MaybeHandle()); Handle trap_name = isolate->factory()->get_string(); // 1. Assert: IsPropertyKey(P) is true. diff --git a/test/mjsunit/harmony/proxies-global-reference.js b/test/mjsunit/harmony/proxies-global-reference.js new file mode 100644 index 0000000000..1b77e66fdf --- /dev/null +++ b/test/mjsunit/harmony/proxies-global-reference.js @@ -0,0 +1,14 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --harmony-proxies + +var failing_proxy = new Proxy({}, new Proxy({}, { + get() { throw "No trap should fire" }})); + +Object.setPrototypeOf(Object.prototype, failing_proxy); +assertThrows(()=>a, TypeError); + +Object.setPrototypeOf(this, failing_proxy); +assertThrows(()=>a, TypeError);