Closed Bug 1754141 Opened 3 years ago Closed 3 years ago

Instant evaluation: Bypass allowing JavaScript with side effects to be evaluated

Categories

(DevTools :: Console, defect, P2)

Product:
DevTools
Component:
Console
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1609432

People

(Reporter: kasper.karlsson, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Verified in Firefox 96.0.3

The "instant evaluation" feature of the Firefox browser console displays expression results immediately as they are entered. As a protection measure, impure expressions (which have side effects) are not allowed to execute. According to https://developer.mozilla.org/en-US/docs/Tools/Web_Console/The_command_line_interpreter#instant_evaluation

When the "instant evaluation" feature is enabled, the interpreter displays results of expressions as you're typing them in single-line mode. Note that the result might be an error message. Expressions that have side effects are not evaluated.

This protection can be bypassed, by using the functions Array.prototype.every() or Array.prototype.some()

Steps to reproduce:

  1. Open the Firefox Developer Tools console
  2. Enter the following text (either by pasting or writing manually) - this causes the impure alert function to be executed, with the obvious side effect of popping up an alert box:
    [1].every(alert)

Variations:
[1].every(aler\u0074)
[0].every(\u0061\u006c\u0065\u0072\u0074)
["Hello"].some(\u0061\u006c\u0065\u0072\u0074)

Flags: sec-bounty?
Component: Security → Console
Product: Firefox → DevTools

Andrew, do you know if the JS team needs to look at this or if this is all devtools-based?

Flags: needinfo?(continuation)

Looking at bug 1460518 and a few of the dependencies, it does appear that this feature required work in SpiderMonkey.

That being said, I don't think this is a security issue. If you can get a user to paste something in the browser console, you could probably also get them to paste something in the browser console and hit enter. Not evaluating expressions with side effects seems to be about making the feature nicer to use, not as a protection measure. There are a number of similar issues blocking bug 1460518 that are not security bugs. I'm not sure if this is a dupe of one of those or not. Therefore, I'm going to unhide this bug. Thanks for the report.

Blocks: console-instant-eval
Group: firefox-core-security
Flags: needinfo?(continuation)

Looks similar to Bug 1732543

Might be fixed by Bug 1732543, but keeping both open to check that both STRs are fixed and to add proper tests.

Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
See Also: → 1732543
See Also: → 1609432

This case will be fixed by bug 1609432.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.