283771 – [Streams API] Commit pull-into descriptors after filling from queue

NEW 283771

[Streams API] Commit pull-into descriptors after filling from queue

https://bugs.webkit.org/show_bug.cgi?id=283771

Summary [Streams API] Commit pull-into descriptors after filling from queue

Mattias Buelens

Reported 2024-11-27 13:49:51 PST

In GHSA-p5g2-876g-95h9, we discovered that in Chromium, a user could run JavaScript code *synchronously* during `ReadableStreamFulfillReadIntoRequest` by patching `Object.prototype.then`, and use this gadget to break some invariants within `ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue`. Fortunately, Safari seems unaffected, see https://github.com/whatwg/streams/security/advisories/GHSA-p5g2-876g-95h9#advisory-comment-109294. The Streams standard has been updated with a proper fix for this case. We now postpone all calls to `ReadableByteStreamControllerCommitPullIntoDescriptor` until *after* all pull-into descriptors have been filled up by `ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue`. This way, we won't trigger any patched `then()` method until the stream is in a stable state. * Original report: https://github.com/whatwg/streams/security/advisories/GHSA-p5g2-876g-95h9 * Specification change: https://github.com/whatwg/streams/pull/1326 * WPT tests: https://github.com/web-platform-tests/wpt/pull/48085

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-12-04 13:50:25 PST

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2024-11-27 13:49 PST

Modified

2024-12-04 13:50 PST History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks