globalThis does not appear in property names of window until specifically referenced
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
People
(Reporter: cbhacking+bugzilla, Assigned: jorendorff)
Details
(Keywords: csectype-other, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main68+])
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce:
- Open or refresh a page that does not reference globalThis in its scripts
- Open developer console and enter the following:
-
Object.getOwnPropertyNames(window)
-
Object.getOwnPropertyNames(window).indexOf('globalThis')
-
window.globalThis // alternatively, simply reference globalThis
-
Object.getOwnPropertyNames(window)
-
Object.getOwnPropertyNames(window).indexOf('globalThis')
Actual results:
- <- Array(909) [ "undefined", "InternalError", "EvalError", "RangeError", "ReferenceError", "SyntaxError", "TypeError", "URIError", "ArrayBuffer", "Int8Array", … ]
- <- -1
- <- Window https://bugzilla.mozilla.org/enter_bug.cgi#h=bugForm%7CFirefox
- <- Array(910) [ "undefined", "InternalError", "EvalError", "RangeError", "ReferenceError", "SyntaxError", "TypeError", "URIError", "ArrayBuffer", "Int8Array", … ]
- <- 909
Expected results:
The result of lines 2 and 3 should have matched lines 5 and 6. The array of returned property names should not have grown when globalThis was first referenced, because it should already have been present. It appears that the globalThis item is added to the very end of the property names as soon as it is referenced, but is not present before then.
This is marked as a security bug because it can potentially be used to bypass JavaScript sandboxes (such as Salesforce's Locker Service) where being able to control access to the global scope is important.
A script that uses Object.getOwnPropertyNames(window) to create a proxy object (which is then frozen) for use in a with() block should be able to prevent untrusted script executing within that block (if it's also within an immediately-invoked anonymous function and in strict mode) from accessing the global scope. However, if that sandboxing script doesn't explicitly reference globalThis beforehand, or explicitly attach it to its proxy object, then the untrusted script will be able to access the global scope anyhow.
Reporter | ||
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 1•5 years ago
|
||
globalThis is handled specially in JS_ResolveStandardClass,
JS_MayResolveStandardClass, and various other places, but not in
JS_NewEnumerateStandardClasses.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Comment on attachment 9066513 [details]
Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not super hard. The difficulty for an attacker lies in matching the bug with a suitable target.
This bug doesn't get you remote code execution, or saved passwords for arbitrary web sites. Rather, if you know a web site that (a) runs untrusted code same-window with secrets you want to steal, and (b) sandboxes the untrusted code, in part, by freezing or deleting stuff in the JS environment, then this bug might prevent the freezing/deleting from working properly.
You'd have to understand the web site's security model quite well to come looking for this Firefox bug.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: Firefox 65 and later
- If not all supported branches, which bug introduced the flaw?: Bug 1317422
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Easy and low risk.
- How likely is this patch to cause regressions; how much testing does it need?: Regressions are unlikely. The patch includes a sufficient test.
Comment 3•5 years ago
|
||
Comment on attachment 9066513 [details]
Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem
As a sec-moderate, this doesn't need sec-approval to go in and looks pretty safe for us anyway. We should get this on Beta as well.
From your comments, ESR60 is unaffected.
Comment 4•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/fb1fcbfac02aab29cc3eca98502da6ad15eefef8
https://hg.mozilla.org/mozilla-central/rev/fb1fcbfac02a
Patch applies cleanly on beta.
Comment 5•5 years ago
|
||
Please nominate this for Beta approval when you get a chance.
Assignee | ||
Comment 6•5 years ago
|
||
Comment on attachment 9066513 [details]
Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem
Beta/Release Uplift Approval Request
- User impact if declined: Chance of XSS vulnerability on some web sites
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small obvious patch.
- String changes made/needed: none
Comment 7•5 years ago
|
||
Comment on attachment 9066513 [details]
Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem
js sec fix, approved for 68.0b7
Comment 8•5 years ago
|
||
uplift |
Updated•5 years ago
|
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Verified as fixed on Firefox Nightly 69.0a1 (2019-06-23) and on Firefox 68.0b12 on Windows 10 x 64, Mac OS X 10.14 and on Ubuntu 18.04 x64.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•4 years ago
|
Description
•