Bug 173303

Summary:

Function constructor needs to follow the spec and validate parameters and body independently

Product:

WebKit

Reporter:

Mark S. Miller <erights>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, bfulgham, buildbot, commit-queue, erights, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, product-security, rniwa, saam, ticaiolima, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=106160
https://bugs.webkit.org/show_bug.cgi?id=131137
https://github.com/tc39/proposal-realms/issues/54#issuecomment-308017282

Attachments:

Description	Flags
WIP	none
WIP	none
patch	keith_miller: review+, buildbot: commit-queue-
Archive of layout-test-results from ews107 for mac-elcapitan-wk2	none
Archive of layout-test-results from ews114 for mac-elcapitan	none
Archive of layout-test-results from ews126 for ios-simulator-wk2	none
Archive of layout-test-results from ews101 for mac-elcapitan	none
patch for landing	buildbot: commit-queue-
patch for landing	commit-queue: commit-queue-
patch for landing	none

Mark S. Miller

Reported 2017-06-12 23:36:44 PDT

In the JavaScript console: > Function('/*', '*/){') < function anonymous(/*) { */){ } This violates the spec and enables injection attacks. According to the spec, the code above should be rejected with a syntax error because the last argument does not parse as a valid function body. This can be used, and has been used, by secure frameworks to ensure that untrusted strings parse as valid function bodies. Such secure frameworks can be fooled on JSC because of this bug.

Attachments
WIP (3.32 KB, patch) 2017-06-26 14:46 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (4.00 KB, patch) 2017-06-26 14:52 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (8.19 KB, patch) 2017-06-26 16:27 PDT, Saam Barati	keith_miller: review+ buildbot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (1.20 MB, application/zip) 2017-06-26 17:35 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews114 for mac-elcapitan (1.79 MB, application/zip) 2017-06-26 17:44 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (21.82 MB, application/zip) 2017-06-26 17:58 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews101 for mac-elcapitan (1.03 MB, application/zip) 2017-06-26 19:26 PDT, Build Bot	no flags	Details
patch for landing (18.93 KB, patch) 2017-06-27 10:56 PDT, Saam Barati	buildbot: commit-queue-	Details Formatted Diff Diff
patch for landing (21.23 KB, patch) 2017-06-27 11:51 PDT, Saam Barati	commit-queue: commit-queue-	Details Formatted Diff Diff
patch for landing (21.23 KB, patch) 2017-06-27 14:14 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (9) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2017-06-13 00:01:53 PDT

<rdar://problem/32732526>

Keith Miller

Comment 2 2017-06-13 00:02:27 PDT

Interesting, I wonder what the right solution to this is... Saam, do you have any thoughts? P.S. I moved this to security because why not.

Saam Barati

Comment 3 2017-06-26 12:24:52 PDT

(In reply to Keith Miller from comment #2) > Interesting, I wonder what the right solution to this is... Saam, do you > have any thoughts? > > P.S. I moved this to security because why not. I'm going to read the spec now, but I don't have any profound ideas here. It seems like this will require us refactoring the parser a bit. The interesting thing is that it seems possible that something can be a valid function body, however, in the context of the parameters, is no longer valid: function foo(a) { "use strict"; let a; }

Saam Barati

Comment 4 2017-06-26 12:42:31 PDT

(In reply to Saam Barati from comment #3) > (In reply to Keith Miller from comment #2) > > Interesting, I wonder what the right solution to this is... Saam, do you > > have any thoughts? > > > > P.S. I moved this to security because why not. > > I'm going to read the spec now, but I don't have any profound ideas here. It > seems like this will require us refactoring the parser a bit. The > interesting thing is that it seems possible that something can be a valid > function body, however, in the context of the parameters, is no longer valid: > function foo(a) { "use strict"; let a; } Actually, I think there is a way to avoid this: we could use the syntax checker to parse the body without any parameters.

Mark S. Miller

Comment 5 2017-06-26 13:53:05 PDT

I am curious what the spec actually says about your example new Function('a', '"use strict"; let a;'); I assume it would be an early error since it results in a function that would be an early error if written out. FWIW, JSC, V8, and SpiderMonkey all do reject it with an early error already. I do not know your parser, but yes, if you can simply ask your parser to do a validating parse with FunctionBody as the start symbol, then that would take care of the issue raised by this bug. Your existing behavior then would still take care of the issue raised in comment #3.

Saam Barati

Comment 6 2017-06-26 14:46:18 PDT

Created attachment 313869 [details] WIP

Saam Barati

Comment 7 2017-06-26 14:52:28 PDT

Created attachment 313870 [details] WIP

Saam Barati

Comment 8 2017-06-26 16:27:18 PDT

Created attachment 313872 [details] patch

Keith Miller

Comment 9 2017-06-26 16:32:49 PDT

Comment on attachment 313872 [details] patch r=me.

Build Bot

Comment 10 2017-06-26 17:10:16 PDT

Comment on attachment 313872 [details] patch Attachment 313872 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/4003110 New failing tests: jsc-layout-tests.yaml/js/script-tests/function-constructor-single-line-comment.js.layout jsc-layout-tests.yaml/js/script-tests/function-constructor-single-line-comment.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/function-constructor-single-line-comment.js.layout-no-ftl jsc-layout-tests.yaml/js/script-tests/function-constructor-single-line-comment.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/function-constructor-single-line-comment.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/function-constructor-single-line-comment.js.layout-no-llint ChakraCore.yaml/ChakraCore/test/Function/FuncBody.js.default jsc-layout-tests.yaml/js/script-tests/function-constructor-single-line-comment.js.layout-ftl-eager-no-cjit apiTests

Build Bot

Comment 11 2017-06-26 17:35:35 PDT

Comment on attachment 313872 [details] patch Attachment 313872 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/4003189 New failing tests: fast/events/onload-single-line-comment.html imported/w3c/web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled-raw-handler-compiled-late.html js/function-constructor-single-line-comment.html js/dom/parse-error-external-script-in-new-Function.html imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-attribute.html fast/dom/attribute-event-listener-errors.html inspector/debugger/search-scripts.html imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-body-onerror.html

Build Bot

Comment 12 2017-06-26 17:35:36 PDT

Created attachment 313878 [details] Archive of layout-test-results from ews107 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6

Build Bot

Comment 13 2017-06-26 17:44:55 PDT

Comment on attachment 313872 [details] patch Attachment 313872 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/4003187 New failing tests: fast/events/onload-single-line-comment.html imported/w3c/web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled-raw-handler-compiled-late.html js/function-constructor-single-line-comment.html js/dom/parse-error-external-script-in-new-Function.html imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-attribute.html fast/dom/attribute-event-listener-errors.html imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-body-onerror.html

Build Bot

Comment 14 2017-06-26 17:44:56 PDT

Created attachment 313879 [details] Archive of layout-test-results from ews114 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-elcapitan Platform: Mac OS X 10.11.6

Build Bot

Comment 15 2017-06-26 17:58:19 PDT

Comment on attachment 313872 [details] patch Attachment 313872 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/4003233 New failing tests: fast/events/onload-single-line-comment.html imported/w3c/web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled-raw-handler-compiled-late.html js/function-constructor-single-line-comment.html js/dom/parse-error-external-script-in-new-Function.html imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-attribute.html fast/dom/attribute-event-listener-errors.html imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-body-onerror.html

Build Bot

Comment 16 2017-06-26 17:58:21 PDT

Created attachment 313880 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.5

Build Bot

Comment 17 2017-06-26 19:26:57 PDT

Comment on attachment 313872 [details] patch Attachment 313872 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/4003586 New failing tests: fast/events/onload-single-line-comment.html imported/w3c/web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled-raw-handler-compiled-late.html js/function-constructor-single-line-comment.html js/dom/parse-error-external-script-in-new-Function.html imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-attribute.html fast/dom/attribute-event-listener-errors.html inspector/debugger/search-scripts.html imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-body-onerror.html

Build Bot

Comment 18 2017-06-26 19:26:58 PDT

Created attachment 313887 [details] Archive of layout-test-results from ews101 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-elcapitan Platform: Mac OS X 10.11.6

Saam Barati

Comment 19 2017-06-26 22:36:15 PDT

I need to make sure we have a newline before the starting/closing brace of a body. I also need to rebaseline some tests I think. Running tests locally now.

Saam Barati

Comment 20 2017-06-27 10:56:57 PDT

Created attachment 313928 [details] patch for landing

Build Bot

Comment 21 2017-06-27 11:39:25 PDT

Comment on attachment 313928 [details] patch for landing Attachment 313928 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/4006973 New failing tests: ChakraCore.yaml/ChakraCore/test/Function/FuncBody.js.default

Saam Barati

Comment 22 2017-06-27 11:51:05 PDT

Created attachment 313931 [details] patch for landing

WebKit Commit Bot

Comment 23 2017-06-27 14:10:59 PDT

Comment on attachment 313931 [details] patch for landing Rejecting attachment 313931 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 313931, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/imported/w3c/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/4008044

Saam Barati

Comment 24 2017-06-27 14:14:33 PDT

Created attachment 313940 [details] patch for landing

WebKit Commit Bot

Comment 25 2017-06-27 14:37:50 PDT

Comment on attachment 313940 [details] patch for landing Clearing flags on attachment: 313940 Committed r218845: <http://trac.webkit.org/changeset/218845>

WebKit Commit Bot

Comment 26 2017-06-27 14:37:52 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.