Closed Bug 1552632 (CVE-2019-11716) Opened 2 years ago Closed 2 years ago

globalThis does not appear in property names of window until specifically referenced

Categories

(Core :: JavaScript Engine, defect, P1)

66 Branch
x86_64
Windows
defect

Tracking

()

VERIFIED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- wontfix
firefox68 + verified
firefox69 + verified

People

(Reporter: cbhacking+bugzilla, Assigned: jorendorff)

Details

(Keywords: csectype-other, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main68+])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

  1. Open or refresh a page that does not reference globalThis in its scripts
  2. Open developer console and enter the following:
  3. Object.getOwnPropertyNames(window)

  4. Object.getOwnPropertyNames(window).indexOf('globalThis')

  5. window.globalThis // alternatively, simply reference globalThis

  6. Object.getOwnPropertyNames(window)

  7. Object.getOwnPropertyNames(window).indexOf('globalThis')

Actual results:

  1. <- Array(909) [ "undefined", "InternalError", "EvalError", "RangeError", "ReferenceError", "SyntaxError", "TypeError", "URIError", "ArrayBuffer", "Int8Array", … ]
  2. <- -1
  3. <- Window https://bugzilla.mozilla.org/enter_bug.cgi#h=bugForm%7CFirefox
  4. <- Array(910) [ "undefined", "InternalError", "EvalError", "RangeError", "ReferenceError", "SyntaxError", "TypeError", "URIError", "ArrayBuffer", "Int8Array", … ]
  5. <- 909

Expected results:

The result of lines 2 and 3 should have matched lines 5 and 6. The array of returned property names should not have grown when globalThis was first referenced, because it should already have been present. It appears that the globalThis item is added to the very end of the property names as soon as it is referenced, but is not present before then.

This is marked as a security bug because it can potentially be used to bypass JavaScript sandboxes (such as Salesforce's Locker Service) where being able to control access to the global scope is important.

A script that uses Object.getOwnPropertyNames(window) to create a proxy object (which is then frozen) for use in a with() block should be able to prevent untrusted script executing within that block (if it's also within an immediately-invoked anonymous function and in strict mode) from accessing the global scope. However, if that sandboxing script doesn't explicitly reference globalThis beforehand, or explicitly attach it to its proxy object, then the untrusted script will be able to access the global scope anyhow.

Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
OS: Unspecified → Windows
Product: Firefox → Core
Hardware: Unspecified → x86_64
Group: core-security → javascript-core-security
Assignee: nobody → jorendorff

globalThis is handled specially in JS_ResolveStandardClass,
JS_MayResolveStandardClass, and various other places, but not in
JS_NewEnumerateStandardClasses.

Priority: -- → P1
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attachment #9066513 - Attachment description: Bug 1552632 - Part 1: Fix the bug. r?jandem → Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem

Comment on attachment 9066513 [details]
Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not super hard. The difficulty for an attacker lies in matching the bug with a suitable target.

This bug doesn't get you remote code execution, or saved passwords for arbitrary web sites. Rather, if you know a web site that (a) runs untrusted code same-window with secrets you want to steal, and (b) sandboxes the untrusted code, in part, by freezing or deleting stuff in the JS environment, then this bug might prevent the freezing/deleting from working properly.

You'd have to understand the web site's security model quite well to come looking for this Firefox bug.

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: Firefox 65 and later
  • If not all supported branches, which bug introduced the flaw?: Bug 1317422
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Easy and low risk.
  • How likely is this patch to cause regressions; how much testing does it need?: Regressions are unlikely. The patch includes a sufficient test.
Attachment #9066513 - Flags: sec-approval?

Comment on attachment 9066513 [details]
Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem

As a sec-moderate, this doesn't need sec-approval to go in and looks pretty safe for us anyway. We should get this on Beta as well.
From your comments, ESR60 is unaffected.

Attachment #9066513 - Flags: sec-approval?
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Please nominate this for Beta approval when you get a chance.

Flags: needinfo?(jorendorff)
Flags: in-testsuite+

Comment on attachment 9066513 [details]
Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem

Beta/Release Uplift Approval Request

  • User impact if declined: Chance of XSS vulnerability on some web sites
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small obvious patch.
  • String changes made/needed: none
Flags: needinfo?(jorendorff)
Attachment #9066513 - Flags: approval-mozilla-beta?

Comment on attachment 9066513 [details]
Bug 1552632 - Resolve globalThis when querying all properties of the global object. r?jandem

js sec fix, approved for 68.0b7

Attachment #9066513 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
QA Whiteboard: [qa-triaged]

Verified as fixed on Firefox Nightly 69.0a1 (2019-06-23) and on Firefox 68.0b12 on Windows 10 x 64, Mac OS X 10.14 and on Ubuntu 18.04 x64.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main68+]
Alias: CVE-2019-11716
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.