Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability][acl] Any properties can be read via ObjectPattern assignments #327

Closed
t2ym opened this issue Feb 5, 2020 · 0 comments
Closed

[vulnerability][acl] Any properties can be read via ObjectPattern assignments #327

t2ym opened this issue Feb 5, 2020 · 0 comments
Labels
vulnerability

Comments

@t2ym
Copy link
Owner

t2ym commented Feb 5, 2020
edited
Loading

[vulnerability][acl] Any properties can be read via ObjectPattern assignments

Root Cause

  • Hooking for all property access is missing for RHS value of ObjectPattern

Reproducible Code

let { caches, ...rest } = window;
let [ ...elements ] = [ 1, 2, 3 ];
({ caches } = window); // [S_ALL] for window must not be allowed
// caches.open() throws even without the below fix

Fix

  • Hook each RHS value of ObjectPattern and ArrayPattern in VariableDeclarator and AssignmentExpression with "*" operation for checking iteration over all properties of the target object

Notes

  • All RHS values for ObjectPattern and ArrayPattern whose all properties can be POTENTIALLY read are hooked even if no RestProperty({...rest}) nor RestElement([...elements]) are specified at their LHS expressions.
    • It might be ideal to list up all the specified target property names for ACL, which would be too much complicated.
  • [S_ALL] policy must be properly configured to limit access to the target object properties.
t2ym added a commit that referenced this issue Feb 5, 2020
@t2ym
[test] Update tests for Fix #327 Hook RHS values of ObjectPattern and…
4778578 
… ArrayPattern for checking all property access
t2ym added a commit that referenced this issue Feb 5, 2020
@t2ym
0.4.0-alpha.5 [README] Update README for [vulnerability][acl] Fix #327
c14a605 
…Hook RHS values of ObjectPattern and ArrayPattern for checking all property access
t2ym added a commit that referenced this issue Feb 5, 2020
@t2ym
0.4.0-alpha.5 [vulnerability][acl] Fix #327 Hook RHS values of Object…
8b7bf31 
…Pattern and ArrayPattern for checking all property access
@t2ym t2ym closed this as completed in 7b4301e Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t2ym