UNPKG

ses

Version:

Hardened JavaScript for Fearless Cooperation

github.com/Agoric/SES-shim/tree/master/packages/ses

endojs/endo

137 lines (125 loc) 4.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
import { FERAL_FUNCTION, SyntaxError, TypeError, defineProperties, getPrototypeOf, setPrototypeOf, freeze, } from './commons.js'; // This module replaces the original `Function` constructor, and the original // `%GeneratorFunction%`, `%AsyncFunction%` and `%AsyncGeneratorFunction%`, // with safe replacements that throw if invoked. // // These are all reachable via syntax, so it isn't sufficient to just // replace global properties with safe versions. Our main goal is to prevent // access to the `Function` constructor through these starting points. // // After modules block is done, the originals must no longer be reachable, // unless a copy has been made, and functions can only be created by syntax // (using eval) or by invoking a previously saved reference to the originals. // // Typically, this module will not be used directly, but via the // [lockdown - shim] which handles all necessary repairs and taming in SES. // // Relation to ECMA specifications // // The taming of constructors really wants to be part of the standard, because // new constructors may be added in the future, reachable from syntax, and this // list must be updated to match. // // In addition, the standard needs to define four new intrinsics for the safe // replacement functions. See [./permits-intrinsics.js]. // // Adapted from SES/Caja // Copyright (C) 2011 Google Inc. // https://github.com/google/caja/blob/master/src/com/google/caja/ses/startSES.js // https://github.com/google/caja/blob/master/src/com/google/caja/ses/repairES5.js /** * tameFunctionConstructors() * This block replaces the original Function constructor, and the original * %GeneratorFunction% %AsyncFunction% and %AsyncGeneratorFunction%, with * safe replacements that throw if invoked. */ export default function tameFunctionConstructors() { try { // Verify that the method is not callable. // eslint-disable-next-line @endo/no-polymorphic-call FERAL_FUNCTION.prototype.constructor('return 1'); } catch (ignore) { // Throws, no need to patch. return freeze({}); } const newIntrinsics = {}; /* * The process to repair constructors: * 1. Create an instance of the function by evaluating syntax * 2. Obtain the prototype from the instance * 3. Create a substitute tamed constructor * 4. Replace the original constructor with the tamed constructor * 5. Replace tamed constructor prototype property with the original one * 6. Replace its [[Prototype]] slot with the tamed constructor of Function */ function repairFunction(name, intrinsicName, declaration) { let FunctionInstance; try { // eslint-disable-next-line no-eval, no-restricted-globals FunctionInstance = (0, eval)(declaration); } catch (e) { if (e instanceof SyntaxError) { // Prevent failure on platforms where async and/or generators // are not supported. return; } // Re-throw throw e; } const FunctionPrototype = getPrototypeOf(FunctionInstance); // Prevents the evaluation of source when calling constructor on the // prototype of functions. // eslint-disable-next-line func-names const InertConstructor = function () { throw TypeError( 'Function.prototype.constructor is not a valid constructor.', ); }; defineProperties(InertConstructor, { prototype: { value: FunctionPrototype }, name: { value: name, writable: false, enumerable: false, configurable: true, }, }); defineProperties(FunctionPrototype, { constructor: { value: InertConstructor }, }); // Reconstructs the inheritance among the new tamed constructors // to mirror the original specified in normal JS. if (InertConstructor !== FERAL_FUNCTION.prototype.constructor) { setPrototypeOf(InertConstructor, FERAL_FUNCTION.prototype.constructor); } newIntrinsics[intrinsicName] = InertConstructor; } // Here, the order of operation is important: Function needs to be repaired // first since the other repaired constructors need to inherit from the // tamed Function function constructor. repairFunction('Function', '%InertFunction%', '(function(){})'); repairFunction( 'GeneratorFunction', '%InertGeneratorFunction%', '(function*(){})', ); repairFunction( 'AsyncFunction', '%InertAsyncFunction%', '(async function(){})', ); repairFunction( 'AsyncGeneratorFunction', '%InertAsyncGeneratorFunction%', '(async function*(){})', ); return newIntrinsics; }