Closed Bug 1962309 Opened 11 months ago Closed 11 months ago

Eager evaluation shouldn't perform side-effectful operation during constructing previews

Categories

(DevTools :: Console, defect)

Product:
DevTools
Component:
Console
Type:
defect

Tracking

(firefox-esr115 wontfix, firefox-esr128 wontfix, firefox137 wontfix, firefox138 wontfix, firefox139 fixed)

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox137 --- wontfix
firefox138 --- wontfix
firefox139 --- fixed

People

(Reporter: arai, Assigned: arai)

References

Details

(Keywords: sec-low, Whiteboard: [adv-main139-])

Attachments

(3 files, 1 obsolete file)

testcase from bug 1960745 comment 9: keylogs 1st token of every console command
490 bytes, text/html
Details
Bug 1962309 - Part 1: Do not perform side-effectful operation for eager evaluation result preview. r?nchevobbe!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1962309 - Part 2: Add test. r?nchevobbe!
48 bytes, text/x-phabricator-request
Details | Review

derived from bug 1960745 comment #9

If eager evaluation hits any error, the Error object is passed to preview, and the preview performs side-effectful operation, that leaks the input to the web content via monkey-patched Error prototypes.

Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED

Given the following, I'm assigning sec-low, and I'll land the patch shortly.

  • this requires explicit user action on DevTools console
  • only the partial input or wrong input (which hits any error) gets leaked to the webpage
  • once the user hits enter, the code should be evaluated in the webpage's context, and executing the monkey-patched code should be totally okay and should be the expected behavior. thus, this is a problem only because the eager evaluation isn't supposed to have side effect
  • clearly less severe than bug 1960745 which has sec-moderate
status-firefox137: --- → affected
status-firefox138: --- → affected
status-firefox139: --- → affected
status-firefox-esr115: --- → affected
status-firefox-esr128: --- → affected
Keywords: sec-low
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/cdb7f526b187 Part 1: Do not perform side-effectful operation for eager evaluation result preview. r=nchevobbe,devtools-reviewers

https://hg.mozilla.org/mozilla-central/rev/cdb7f526b187

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox139: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch

The patch landed in nightly and beta is affected.
:arai, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(arai.unmht)

this patch depends on bug 1960745 patch.
So I'll prepare the uplift after that

status-firefox137: affectedwontfix
status-firefox138: affectedwontfix
Flags: needinfo?(arai.unmht)
Attachment #9480896 - Flags: approval-mozilla-esr128?
Attachment #9480896 - Attachment is obsolete: true
Attachment #9480896 - Flags: approval-mozilla-esr128?

Actually, this patch doesn't apply cleanly on esr128 and esr115, because of some other refactoring around the value grip and actor parameters.
Given the severity, I'm leaning toward not requesting uplift.
nchevobbe, can I have your opinion?

Flags: needinfo?(nchevobbe)

(In reply to Tooru Fujisawa [:arai] from comment #9)

Actually, this patch doesn't apply cleanly on esr128 and esr115, because of some other refactoring around the value grip and actor parameters.
Given the severity, I'm leaning toward not requesting uplift.
nchevobbe, can I have your opinion?

that sounds fine to me

Flags: needinfo?(nchevobbe)
QA Whiteboard: [sec] [qa-triage-done-c140/b139]
Flags: qe-verify-
Whiteboard: [adv-main139-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: