Closed
Bug 1390701
Opened 7 years ago
Closed 7 years ago
The console should not consider system principal proxy objects to be safe
Categories
(DevTools :: Console, enhancement, P3)
DevTools
Console
Tracking
(firefox57 fixed)
RESOLVED
FIXED
Firefox 57
Tracking | Status | |
---|---|---|
firefox57 | --- | fixed |
People
(Reporter: Oriol, Assigned: Oriol)
Details
Attachments
(1 file)
3.18 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
The console considers system principal objects to be safe even when not wrapped in Xrays. But this is bad if they are a proxy or contain a proxy in their prototype chain, because various traps may run. Example: var global = Components.utils.Sandbox(null); var traps = global.eval(`var traps = {}; traps;`); var proxy = global.eval(` new Proxy({a:1}, new Proxy({}, {get: (_, trap) => { traps[trap] = (traps[trap] || 0) + 1; }})); `); requestAnimationFrame(() => console.log("Trap count: ", traps)); Object.create(Cu.waiveXrays(proxy));
Updated•7 years ago
|
Priority: -- → P3
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → oriol-bugzilla
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•7 years ago
|
||
Attachment #8900713 -
Flags: review?(bgrinstead)
Assignee | ||
Comment 2•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=870db2ede0217427a06eef5c1b64bc75abcf0f17
Comment 3•7 years ago
|
||
Comment on attachment 8900713 [details] [diff] [review] isSafeJSObject-proxy.patch Review of attachment 8900713 [details] [diff] [review]: ----------------------------------------------------------------- Forwarding to Jim
Attachment #8900713 -
Flags: review?(bgrinstead) → review?(jimb)
Comment 4•7 years ago
|
||
Comment on attachment 8900713 [details] [diff] [review] isSafeJSObject-proxy.patch Review of attachment 8900713 [details] [diff] [review]: ----------------------------------------------------------------- ::: devtools/server/tests/unit/test_objectgrips-17.js @@ +44,5 @@ > const [,, threadClient] = await attachTestTabAndResume(gClient, title); > gThreadClient = threadClient; > > + // Test objects created in the debuggee. > + await testPrincipal(undefined, false); If I remember the other patch correctly, the calls to test_principal check both proxy objects and objects with proxies on their prototype chain, so this exercises the recursive path in isSafeJSObject, correct?
Attachment #8900713 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 5•7 years ago
|
||
(In reply to Jim Blandy :jimb from comment #4) > If I remember the other patch correctly, the calls to test_principal check > both proxy objects and objects with proxies on their prototype chain, so > this exercises the recursive path in isSafeJSObject, correct? Yes, exactly. The problem was that, when creating a non-proxy grip, things like `rawObj instanceof Ci.nsIDOMCSSMediaRule` are used to determine what kind of object `rawObj` is. But this ran proxy traps if there was a proxy in the prototype chain. Treating `rawObj` as unsafe prevents this, and the test ensures that no trap runs.
Assignee | ||
Comment 6•7 years ago
|
||
For some reason the try tests on OS X don't run, but this shouldn't be OS-dependent so I guess it's OK.
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/aa18594d4f60 Let devtools consider system principal proxy objects to be unsafe. r=jimb
Keywords: checkin-needed
Comment 8•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/aa18594d4f60
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 57
Updated•6 years ago
|
Product: Firefox → DevTools
You need to log in
before you can comment on or make changes to this bug.
Description
•