Workaround for override mistake #146
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,144 @@ | ||
| // Adapted from SES/Caja | ||
| // Copyright (C) 2011 Google Inc. | ||
| // https://github.com/google/caja/blob/master/src/com/google/caja/ses/startSES.js | ||
| // https://github.com/google/caja/blob/master/src/com/google/caja/ses/repairES5.js | ||
|
|
||
| export default function makeRepairDataProperties() { | ||
| const { | ||
| defineProperties, | ||
| getOwnPropertyDescriptors, | ||
| hasOwnProperty, | ||
| } = Object; | ||
| const { ownKeys } = Reflect; | ||
|
|
||
| // Object.defineProperty is allowed to fail silently, | ||
| // wrap Object.defineProperties instead. | ||
| function defineProperty(obj, prop, desc) { | ||
| defineProperties(obj, { [prop]: desc }); | ||
| } | ||
|
|
||
| /** | ||
| * For a special set of properties (defined below), it ensures that the | ||
| * effect of freezing does not suppress the ability to override these | ||
| * properties on derived objects by simple assignment. | ||
| * | ||
| * Because of lack of sufficient foresight at the time, ES5 unfortunately | ||
| * specified that a simple assignment to a non-existent property must fail if | ||
| * it would override a non-writable data property of the same name. (In | ||
| * retrospect, this was a mistake, but it is now too late and we must live | ||
| * with the consequences.) As a result, simply freezing an object to make it | ||
| * tamper proof has the unfortunate side effect of breaking previously correct | ||
| * code that is considered to have followed JS best practices, if this | ||
| * previous code used assignment to override. | ||
| * | ||
| * To work around this mistake, deepFreeze(), prior to freezing, replaces | ||
| * selected configurable own data properties with accessor properties which | ||
| * simulate what we should have specified -- that assignments to derived | ||
| * objects succeed if otherwise possible. | ||
| */ | ||
| function beMutable(obj, prop, desc) { | ||
kumavis marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| if ('value' in desc && desc.configurable) { | ||
| const { value } = desc; | ||
|
|
||
| // eslint-disable-next-line no-inner-declarations | ||
| function getter() { | ||
| return value; | ||
| } | ||
|
|
||
| // Re-attach the data property on the object so | ||
| // it can be found by the deep-freeze traversal process. | ||
| getter.value = value; | ||
|
There was a problem hiding this comment. IIRC, this was one of the things that Salesforce changed, though I do not remember to what. There was a problem hiding this comment. its present in forcedotcom/aura, don't have access to their latest work for comparison. also present in node's version |
||
|
|
||
| // eslint-disable-next-line no-inner-declarations | ||
| function setter(newValue) { | ||
| if (obj === this) { | ||
| throw new TypeError( | ||
| `Cannot assign to read only property '${prop}' of object '${obj}'`, | ||
| ); | ||
| } | ||
| if (hasOwnProperty.call(this, prop)) { | ||
| this[prop] = newValue; | ||
| } else { | ||
| defineProperty(this, prop, { | ||
| value: newValue, | ||
| writable: true, | ||
| enumerable: desc.enumerable, | ||
| configurable: desc.configurable, | ||
| }); | ||
| } | ||
| } | ||
|
|
||
| defineProperty(obj, prop, { | ||
| get: getter, | ||
| set: setter, | ||
| enumerable: desc.enumerable, | ||
| configurable: desc.configurable, | ||
| }); | ||
| } | ||
| } | ||
|
|
||
| function beMutableProperties(obj) { | ||
| if (!obj) { | ||
| return; | ||
| } | ||
| const descs = getOwnPropertyDescriptors(obj); | ||
| if (!descs) { | ||
| return; | ||
| } | ||
| ownKeys(obj).forEach(prop => beMutable(obj, prop, descs[prop])); | ||
| } | ||
|
|
||
| /** | ||
| * These properties are subject to the override mistake | ||
| * and must be converted before freezing. | ||
| */ | ||
| function repairDataProperties(intrinsics) { | ||
| const { global: g, anonIntrinsics: a } = intrinsics; | ||
|
|
||
| const toBeRepaired = [ | ||
| g.Object.prototype, | ||
| g.Array.prototype, | ||
| g.Boolean.prototype, | ||
| g.Date.prototype, | ||
| g.Number.prototype, | ||
| g.String.prototype, | ||
kumavis marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| g.Function.prototype, | ||
| a.GeneratorFunction.prototype, | ||
| a.AsyncFunction.prototype, | ||
| a.AsyncGeneratorFunction.prototype, | ||
|
|
||
| a.IteratorPrototype, | ||
| a.ArrayIteratorPrototype, | ||
|
|
||
| g.DataView.prototype, | ||
|
|
||
| a.TypedArray, | ||
| a.TypedArray.prototype, | ||
kumavis marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| g.Int8Array.prototype, | ||
| g.Int16Array.prototype, | ||
| g.Int32Array.prototype, | ||
| g.Uint8Array, | ||
| g.Uint16Array, | ||
| g.Uint32Array, | ||
kumavis marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| g.Error.prototype, | ||
| g.EvalError.prototype, | ||
| g.RangeError.prototype, | ||
| g.ReferenceError.prototype, | ||
| g.SyntaxError.prototype, | ||
| g.TypeError.prototype, | ||
| g.URIError.prototype, | ||
| ]; | ||
|
|
||
| // Promise may be removed from the whitelist | ||
| const PromisePrototype = g.Promise && g.Promise.prototype; | ||
kumavis marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| if (PromisePrototype) { | ||
| toBeRepaired.push(PromisePrototype); | ||
| } | ||
|
|
||
| toBeRepaired.forEach(beMutableProperties); | ||
| } | ||
|
|
||
| return repairDataProperties; | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was based off a comment I found in
realms-shim/src/common, but doesn't seem to be true in at least node v10 REPLThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another obscure corner of JavaScript. The only case where this might happen is on browsers, where there's a distinction between the reified so-called "WindowProxy" object and the unreified so-called "Window" object. The issue is that a browser frame, when it is navigated from url1 to url2, gets the completely new root realm associated with url2, including global variable bindings, but keeps the same global "window" object (which is actually a WindowProxy) because that is the same object the parent can hold onto to designate this frame no matter what it is navigated to.
The way this is implemented is that every root realm that occupied the frame has its own hidden so-called "Window" object, whose properties are aliased to that root realm's global variables. The so-called "WindowProxy" object has a current hidden "Window" object, that it forwards all operations to. Done naively, this leads to a contradiction:
Say
wpis such a WindowProxy object. While it is at url1, and therefore forwarding to hidden window hw1, someone does anLet's say that this call reports success, however
definePropertyis supposed to report success. Then, presumably, hw1 actually has a non-writable, non-configurablefoodata property with value 88. By the object invariants, these conditions represent a commitment that this property on this object must always be a non-writable, non-configurablefoodata property with value 88. Fine so far.Now some navigates the frame to url2, associated with hidden window hw2 that has no
fooproperty, and whose root realm therefore also has nofooglobal variable. What shouldreturn? What it actually does across all browsers, and as mandated by the html spec, is to forward that
getOwnPropertyDescriptorrequest to its current hidden window object, hw2, which returns undefined. However, werewpto do so, after the previousdefinePropertyhad indicated success, it would violate the previous commitment.Therefore, the previous call to
definePropertymust not report success. Heroic work by Mozilla on Firefox at first had thatdefinePropertycall throw an error, which was the only way thatdefinePropertycould report that the operation failed. This broke some old code in some old version of some library that did not actually care whether thedefinePropertysucceeded, failed, or did anything at all. But if the call todefinePropertythrew, the library broke.Therefore, for this one horrible special case, we allow
definePropertyto report failure by returning false rather than throwing. SES does not care about breaking that old version of some obscure library. SES does care about the threat to integrity if code proceeds normally under the assumption that some operation succeeded when it didn't. Thus, SES should restore the less kludgy behavior ofdefineProperty, that could only report failure by throwing.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now should I continue to use
Object.definePropertiesas workaround? or something else?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Attn @ljharb Do you know the status of the possibility that the failure masking behavior of
Object.definePropertybe extended toObject.defineProperties? In your opinion, should we switch to another technique to unmask the failure masking, to stay safe in the face of this possible change?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on what I'm reading in this thread, the only reason
Object.definePropertywas forced to not throw was for legacy web compat - ifObject.definePropertiesdoesn't already have that problem, then I can't see why we'd ever want to make it not throw when it fails?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good. I agree with the conclusion. I was asking because I recall some tc39 talk of extending the failure masking behavior to
Object.definePropertiesfor consistency. But I haven't heard much. If you haven't run across this, it is likely inactive. Whew. Thanks.