1550485 - Usage of `new Function()` in third-party library redux.js

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement, P3)

Description

[Jonas Allmann [:jallmann]]

All eval()-like functions (eval(), new Function(), setTimeout("")) are being removed from code running with system privileges, see Bug 1473549. An assertion is active to enforce this.

There are two occurences of new Function() in redux.js that require the file to be whitelisted for this assertion. In order to clear redux.js from the whitelist, new Function() needs to be removed or refactored. In both cases, new Function()is used to get the global object. This can poissibly be avoided by just removing the code like it was done in reudx.jsm, see Bug 1486375.

Get global object:
https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/redux.js#18

Get global object:
https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/redux.js#242

Comment 1

[Julian Descottes [:jdescottes]]

Attachment: Bug 1550485 - Remove usage of new Function in redux.js

Depends on D38513

Comment 2

[Julian Descottes [:jdescottes]]

Attachment: Bug 1550485 - Remove redux.js from nsContentSecurityManager whitlelist

Depends on D38514

Comment 3

[Pulsebot]

Pushed by jdescottes@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dbe62a4f2b41
Remove usage of new Function in redux.js r=nchevobbe
https://hg.mozilla.org/integration/autoland/rev/c48fcf3a6532
Remove redux.js from nsContentSecurityManager whitlelist r=ckerschb

Comment 4

[Daniel Varga [:dvarga]]

https://hg.mozilla.org/mozilla-central/rev/dbe62a4f2b41
https://hg.mozilla.org/mozilla-central/rev/c48fcf3a6532