Usage of `new Function` in third-party library lodash.js
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | fixed |
People
(Reporter: jallmann, Assigned: jdescottes)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
All eval()-like functions (eval(), new Function(), setTimeout("")) are being removed from code running with system privileges, see Bug 1473549. An assertion is active to enforce this.
There are two occurences of new Function in lodash.sh that require the file to be whitelisted for this assertion. In order to clear lodash.sh from the whitelist, new Function needs to be removed or refactored.
new Function to get the global object:
https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/lodash.js#423
new Function in template() function:
https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/lodash.js#14843
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 1•5 years ago
|
||
Depends on D38515
The template() helper seems not used in devtools so I removed it here.
If we could generate a bundle of lodash without this method fromt he start that would be great.
|
|
Assignee | |
Comment 2•5 years ago
|
||
Depends on D38516
Pushed by jdescottes@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d40627b89663 Remove new Function usage in lodash r=jlast https://hg.mozilla.org/integration/autoland/rev/a110102915af Remove lodash.js from nsContentSecurityManager whitelist r=ckerschb
|
||
Comment 4•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/d40627b89663
https://hg.mozilla.org/mozilla-central/rev/a110102915af
Description
•