Closed Bug 1390701 Opened 7 years ago Closed 7 years ago

The console should not consider system principal proxy objects to be safe

Categories

(DevTools :: Console, enhancement, P3)

Product:
DevTools
Component:
Console
Type:
enhancement

Tracking

(firefox57 fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 57
Tracking Flags:
Tracking Status
firefox57 --- fixed

People

(Reporter: Oriol, Assigned: Oriol)

Details

Attachments

(1 file)

isSafeJSObject-proxy.patch
3.18 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
The console considers system principal objects to be safe even when not wrapped in Xrays. But this is bad if they are a proxy or contain a proxy in their prototype chain, because various traps may run.

Example:

    var global = Components.utils.Sandbox(null);
    var traps = global.eval(`var traps = {}; traps;`);
    var proxy = global.eval(`
      new Proxy({a:1}, new Proxy({}, {get: (_, trap) => {
        traps[trap] = (traps[trap] || 0) + 1;
      }}));
    `);
    requestAnimationFrame(() => console.log("Trap count: ", traps));
    Object.create(Cu.waiveXrays(proxy));
Priority: -- → P3
Assignee: nobody → oriol-bugzilla
Status: NEW → ASSIGNED

        Attachment #8900713 -
        Flags: review?(bgrinstead)

    
    

    
  
Comment on attachment 8900713 [details] [diff] [review]
isSafeJSObject-proxy.patch

Review of attachment 8900713 [details] [diff] [review]:
-----------------------------------------------------------------

Forwarding to Jim

        Attachment #8900713 -
        Flags: review?(bgrinstead) → review?(jimb)

    
    

    
  
Comment on attachment 8900713 [details] [diff] [review]
isSafeJSObject-proxy.patch

Review of attachment 8900713 [details] [diff] [review]:
-----------------------------------------------------------------

::: devtools/server/tests/unit/test_objectgrips-17.js
@@ +44,5 @@
>    const [,, threadClient] = await attachTestTabAndResume(gClient, title);
>    gThreadClient = threadClient;
>  
> +  // Test objects created in the debuggee.
> +  await testPrincipal(undefined, false);

If I remember the other patch correctly, the calls to test_principal check both proxy objects and objects with proxies on their prototype chain, so this exercises the recursive path in isSafeJSObject, correct?

        Attachment #8900713 -
        Flags: review?(jimb) → review+

    
    

    
  
(In reply to Jim Blandy :jimb from comment #4)
> If I remember the other patch correctly, the calls to test_principal check
> both proxy objects and objects with proxies on their prototype chain, so
> this exercises the recursive path in isSafeJSObject, correct?

Yes, exactly. The problem was that, when creating a non-proxy grip, things like `rawObj instanceof Ci.nsIDOMCSSMediaRule` are used to determine what kind of object `rawObj` is. But this ran proxy traps if there was a proxy in the prototype chain. Treating `rawObj` as unsafe prevents this, and the test ensures that no trap runs.

    
    

    
  
For some reason the try tests on OS X don't run, but this shouldn't be OS-dependent so I guess it's OK.
Keywords: checkin-needed

    
    

    
  
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aa18594d4f60
Let devtools consider system principal proxy objects to be unsafe. r=jimb
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/aa18594d4f60
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox57:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 57

    
  
Product: Firefox → DevTools

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: