Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix eval(<non‑string>) and eval.length #306

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix eval(<non‑string>) and eval.length #306

wants to merge 2 commits into from

Conversation

ExE-Boss
Copy link
Contributor

See https://tc39.es/ecma262/#sec-performeval:

  1. If Type(x) is not String, return x.

@erights
Copy link
Member

erights commented Sep 30, 2020

Before proceeding on this, we should be aware of @mikesamuel's proposals to change this aspect of the EcmaScript standard to give hosts (and CSP) more control over the response to non-string eval arguments. (Need link)

Whatever is done here should also be done to the compartment shim. See endojs/endo#481

@erights erights requested a review from kriskowal September 30, 2020 22:57
@mikesamuel
Copy link

I think you're referring to https://github.com/tc39/proposal-dynamic-code-brand-checks

@erights
Copy link
Member

erights commented Oct 1, 2020

@mikesamuel yes, thanks.

@kriskowal
Copy link
Member

Please pardon the very late review. I’m cleaning out the skeletons in my review queue. This change looks good to me.

kriskowal
kriskowal reviewed Jun 16, 2023
View reviewed changes
src/safeEval.js Outdated

// safeEval's prototype RootRealm's value and instanceof Function
// is true inside the realm. It doesn't point at the primal realm
// value, and there is no defense against leaking primal realm
// intrinsics.

defineProperties(safeEval, {
// `eval.length` is already initialized correctly.
// Ensure that `eval.name` is also correct:
name: { value: 'eval' },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth making explicit that this property is non-writable, non-enumerable, and non-configurable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This property has the defaults of { writeable: false, enumerable: false, configurable: true }, as it’s defined by ECMAScript:

kriskowal
kriskowal requested changes Jun 16, 2023
View reviewed changes
test/realm/function-eval.js
@@ -166,6 +166,26 @@ test('degenerate-pattern-match-argument', t => {
t.end();
});

test('eval-own-properties', t => {
const r = Realm.makeRootRealm();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn’t exist any more. This might be a hard rebase.

test/realm/function-eval.js
`),
true,
'eval(<non-string>) returns <non-string>'
);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So much time has passed, we will probably want a test that verifies the immutability of the eval inside a Compartment.

kriskowal
kriskowal requested changes Jun 16, 2023
View reviewed changes
src/safeEval.js
value: 'eval',
writable: false,
enumerable: false,
configurable: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be fine, but I want to be sure that the safe evaluator gets hardened later. That said, I don’t think we ever need safe eval to have configurable name, so making this false should be fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kriskowal kriskowal kriskowal requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ExE-Boss @erights @mikesamuel @kriskowal