Closed Bug 1977364 Opened 8 months ago Closed 8 months ago

Remove support for ducktyped errors

Categories

(Core :: JavaScript Engine, task, P1)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
143 Branch
Tracking Flags:
Tracking Status
firefox143 --- fixed

People

(Reporter: tschuster, Assigned: tschuster)

References

(Blocks 2 open bugs)

Details

Attachments

(2 files)

Bug 1977364 - Disable support for ducktyped errors. r?#spidermonkey-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1977364 - Support creating a JSErrorReport from DOMException objects to maintain the same error messages. r?#spidermonkey-reviewers,#dom-core
48 bytes, text/x-phabricator-request
Details | Review

SpiderMonkey has special code to treat objects like {message: "<message>", fileName: "foo", lineNumber: 1} as actual instances of an Error object. This can actually be abused to execute code in some cases: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#no-parentheses-using-exception-handling-and-object-eval-on-firefox

I think this used to exist primarily to handle tricky wrapper cases where it might not be possible to obtain an actual error object. Nowadays, we just don't have that many wrappers anymore.

One thing we might want to think about are DOMException objects, these are almost Error objects but not really. If we just remove the duck typing, the following code will change behavior:

onerror = (message, source, lineno, colno, error) => {
  console.log(lineno, colno);
}
/* line 5 */ let exception = new DOMException("<DOMException message>", "<DOMException name>")
/* line 6 */ throw exception;

Currently this will log 5 0 (where the DOMException is constructed, but apparently we are missing the column?). This will change to 6 14 (the location of throw). Chrome matches with the new behavior.

I did a try push with the duck typing code disabled, there are some test failures related to changed error messages, but it looks manageable.

Blocks: 1977387
Severity: -- → N/A
Priority: -- → P3
Assignee: nobody → tschuster
Attachment #9500949 - Attachment description: WIP: Bug 1977364 - Remove support for ducktyped errors → Bug 1977364 - Remove support for ducktyped errors. r?#spidermonkey-reviewers
Attachment #9500950 - Attachment description: WIP: Bug 1977364 - Support creating a JSErrorReport from DOMException objects to maintain the same error messages → Bug 1977364 - Support creating a JSErrorReport from DOMException objects to maintain the same error messages. r?#spidermonkey-reviewers,#dom-core
Priority: P3 → P1
Attachment #9500949 - Attachment description: Bug 1977364 - Remove support for ducktyped errors. r?#spidermonkey-reviewers → Bug 1977364 - Disable support for ducktyped errors. r?#spidermonkey-reviewers
Pushed by tschuster@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/e0490b79399c https://hg.mozilla.org/integration/autoland/rev/c0c6f170e490 Disable support for ducktyped errors. r=spidermonkey-reviewers,jandem https://github.com/mozilla-firefox/firefox/commit/652c1798fb62 https://hg.mozilla.org/integration/autoland/rev/831879a358fc Support creating a JSErrorReport from DOMException objects to maintain the same error messages. r=spidermonkey-reviewers,dom-core,mccr8,jandem https://github.com/mozilla-firefox/firefox/commit/954b7a4e4403 https://hg.mozilla.org/integration/autoland/rev/429249e44884 apply code formatting via Lando
QA Whiteboard: [qa-triage-done-c144/b143]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: