Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate ability to tolerate Function constructor permissiveness #665

Closed
erights opened this issue Apr 12, 2021 · 1 comment · Fixed by #667
Closed

Investigate ability to tolerate Function constructor permissiveness #665

erights opened this issue Apr 12, 2021 · 1 comment · Fixed by #667
Assignees
@erights

Comments

@erights
Copy link
Contributor

erights commented Apr 12, 2021

No description provided.

@erights erights self-assigned this Apr 12, 2021
@erights
Copy link
Contributor Author

erights commented Apr 13, 2021

The following check would be fooled by the Function constructor permissiveness being considered.

endo/packages/ses/src/make-function-constructor.js

Lines 29 to 35 in e9199f4

// Are parameters and bodyText valid code, or is someone
// attempting an injection attack? This will throw a SyntaxError if:
// - parameters doesn't parse as parameters
// - bodyText doesn't parse as a function body
// - either contain a call to super() or references a super property.
// eslint-disable-next-line no-new
new FERAL_FUNCTION(parameters, bodyText);

However, it could easily be changed to not be vulnerable, by making two calls to FERAL_FUNCTION instead of one

new FERAL_FUNCTION(parameters, '');
new FERAL_FUNCTION(bodyText);

Attn @phoddie @kriskowal @dckc @bakkot

@dckc dckc mentioned this issue Apr 14, 2021
Closed
@erights erights mentioned this issue Apr 14, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@erights erights

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: workaround remaining validation bug endojs/endo
1 participant
@erights