Closed Bug 236117 Opened 20 years ago Closed 20 years ago

Context sealing API for Rhino

Categories

(Rhino Graveyard :: Core, defect)

Product:
Rhino Graveyard
Component:
Core
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: igor, Assigned: igor)

Details

Attachments

(1 file, 1 obsolete file)

Patch without unrelated code
52.19 KB, patch
Details | Diff | Splinter Review 
Since changing Context parameters can significantly alter script execution, I
suggest to add to Context a new API to seal Context instance so any future
attempt to change its parameters would throw an exception.

It would not only prevent bugs in applications but also allow to prevent
security breaches as currently Rhino has no protection against combined attack
of untrusted Java and JavaScript code. For example, low-privileges jar executed
as a part of untrusted script can call Context.exit/Context.enter to create
Context without security controller and use to produce interpreted scripts
having the same privileges as Rhino code.
Targeting 1.5R5
Target Milestone: --- → 1.5R5
Attached patch Sealing implementation (obsolete) — Splinter Review 
The essential part of the patch is the following API:

    /**
     * Checks if this is a sealed Context. A sealed Context instance does not
     * allow to modify any of its properties and will throw an exception
     * on any such attempt.
     * @see #seal(Object sealKey)
     */
    public final boolean isSealed()
    {
	return sealed;
    }

    /**
     * Seal this Context object so any attempt to modify any of its properties
     * including calling {@link #enter()} and {@link #exit()} methods will
     * throw an exception.
     * <p>
     * If <tt>sealKey<tt> is not null, calling
     * {@link #unseal(Object sealKey)} with the same key unseals
     * the object. If <tt>sealKey<tt> is null, unsealing is no longer possible.

     *
     * @see #isSealed()
     * @see #unseal(Object)
     */
    public final void seal(Object sealKey)
    {
	if (sealed) onSealedMutation();
	sealed = true;
	this.sealKey = sealKey;
    }

    /**
     * Unseal previously sealed Context object.
     * The <tt>sealKey<tt> argument should not be null and should match
     * <tt>sealKey<tt> suplied with the last call to
     * {@link #seal(Object)} or an exception will be thrown.
     *
     * @see #isSealed()
     * @see #seal(Object sealKey)
     */
    public final void unseal(Object sealKey)
    {
	if (sealKey == null) throw new IllegalArgumentException();
	if (this.sealKey != sealKey) throw new IllegalArgumentException();
	if (!sealed) throw new IllegalStateException();
	sealed = false;
	this.sealKey = null;
    }

with intendent usage like:

private Object sealKey = new Object();

Context cx = new Context();
customize(cx);
cx = Context.enter(cx);
cx.seal(sealKey);
try {
...
} finally {
    cx.unseal(sealKey);
    Context.exit();
}

Now any attempt to call Context.enter/exit or modify Context parameters would
fail unless sealKey is known so the trusted code still can call:

cx.unseal(sealKey);
try {
    cx.setOptimizationLevel(9);
} finally {
    cx.seal(sealKey);
}

Another part of the patch is to make most of the read methods in Context final
as additional protection against "tailored" Context objects.
The patch from attachment 142684 [details] [diff] [review] is not compilable and included unrelated code
for bug 236193. This is a proper version.

I also forgot to document another patch feature: new method
Context.disableStaticContextListening() :


    /**
     * Disable notifications of listeners registered with
     * {@link #addContextListener(ContextListener)} about Context events.
     * All currently registered listeners will be removed and any subsequent
     * call to {@link #addContextListener(ContextListener)} will throw an
     * exception.
     * <p>
     * Embedding may use this method to prevent Context exposure to potentially

     * untrusted code.
     */
    public static void disableStaticContextListening()
    {
	synchronized (staticListenersLock) {
	    disabledContextListening = true;
	    staticListeners = null;
	}
    }

Although Context.addContextListener is a convinient method, as any method
operating on static data it can be exploited if an application allows to run
untrusted jars and using Rhino for internal purposes. In such cases the
application may be willing to drop convinience of Context.addContextListener
for a better porotection againt hosile code.
Attachment #142684 - Attachment is obsolete: true
I committed the last patch
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: