fix: ensure replacements of globals can't be bypassed

Agoric · May 18, 2021 · 3d2a230 · 3d2a230
1 parent bd421ff
commit 3d2a230
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 8 deletions.
diff --git a/packages/SwingSet/src/kernel/liveSlots.js b/packages/SwingSet/src/kernel/liveSlots.js
@@ -27,7 +27,7 @@ const DEFAULT_VIRTUAL_OBJECT_CACHE_SIZE = 3; // XXX ridiculously small value to
  * @param {*} vatParameters
  * @param {*} gcTools { WeakRef, FinalizationRegistry, waitUntilQuiescent }
  * @param {Console} console
- * @returns {*} { vatGlobals, inescapableGlobalLexicals, dispatch, setBuildRootObject }
+ * @returns {*} { vatGlobals, inescapableGlobalProperties, dispatch, setBuildRootObject }
  *
  * setBuildRootObject should be called, once, with a function that will
  * create a root object for the new vat The caller provided buildRootObject
@@ -803,7 +803,7 @@ function build(
     makeKind,
   });
 
-  const inescapableGlobalLexicals = harden({
+  const inescapableGlobalProperties = harden({
     WeakMap: RepairedWeakMap,
     WeakSet: RepairedWeakSet,
   });
@@ -901,7 +901,7 @@ function build(
   // we return 'deadSet' for unit tests
   return harden({
     vatGlobals,
-    inescapableGlobalLexicals,
+    inescapableGlobalProperties,
     setBuildRootObject,
     dispatch,
     m,
@@ -921,7 +921,7 @@ function build(
  * @param {boolean} enableDisavow
  * @param {*} gcTools { WeakRef, FinalizationRegistry, waitUntilQuiescent }
  * @param {Console} [liveSlotsConsole]
- * @returns {*} { vatGlobals, inescapableGlobalLexicals, dispatch, setBuildRootObject }
+ * @returns {*} { vatGlobals, inescapableGlobalProperties, dispatch, setBuildRootObject }
  *
  * setBuildRootObject should be called, once, with a function that will
  * create a root object for the new vat The caller provided buildRootObject
@@ -971,14 +971,14 @@ export function makeLiveSlots(
   );
   const {
     vatGlobals,
-    inescapableGlobalLexicals,
+    inescapableGlobalProperties,
     dispatch,
     setBuildRootObject,
     deadSet,
   } = r; // omit 'm'
   return harden({
     vatGlobals,
-    inescapableGlobalLexicals,
+    inescapableGlobalProperties,
     dispatch,
     setBuildRootObject,
     deadSet,

diff --git a/packages/SwingSet/src/kernel/vatManager/manager-local.js b/packages/SwingSet/src/kernel/vatManager/manager-local.js
@@ -129,7 +129,8 @@ export function makeLocalVatManagerFactory(tools) {
       assert,
     });
     const inescapableTransforms = [];
-    const inescapableGlobalLexicals = { ...ls.inescapableGlobalLexicals };
+    const inescapableGlobalProperties = { ...ls.inescapableGlobalProperties };
+    const inescapableGlobalLexicals = {};
     if (metered) {
       const getMeter = meterRecord.getMeter;
       inescapableTransforms.push(src => transformMetering(src, getMeter));
@@ -141,6 +142,7 @@ export function makeLocalVatManagerFactory(tools) {
       endowments,
       inescapableTransforms,
       inescapableGlobalLexicals,
+      inescapableGlobalProperties,
     });
 
     let dispatch;

diff --git a/packages/import-bundle/src/compartment-wrapper.js b/packages/import-bundle/src/compartment-wrapper.js
@@ -2,6 +2,7 @@ export function wrapInescapableCompartment(
   OldCompartment,
   inescapableTransforms,
   inescapableGlobalLexicals,
+  inescapableGlobalProperties,
 ) {
   // This is the new Compartment constructor. We name it `Compartment` so
   // that it's .name property is correct, but we hold it in 'NewCompartment'
@@ -51,6 +52,15 @@ export function wrapInescapableCompartment(
     // there are details to work out.
     c.globalThis.Compartment = NewCompartment;
 
+    for (const prop of Object.keys(inescapableGlobalProperties)) {
+      Object.defineProperty(c.globalThis, prop, {
+        value: inescapableGlobalProperties[prop],
+        writable: true,
+        enumerable: false,
+        configurable: true,
+      });
+    }
+
     return c;
   };
 

diff --git a/packages/import-bundle/src/index.js b/packages/import-bundle/src/index.js
@@ -16,6 +16,7 @@ export async function importBundle(bundle, options = {}) {
     transforms = [],
     inescapableTransforms = [],
     inescapableGlobalLexicals = {},
+    inescapableGlobalProperties = {},
   } = options;
   const endowments = {
     TextEncoder,
@@ -26,12 +27,14 @@ export async function importBundle(bundle, options = {}) {
   let CompartmentToUse = Compartment;
   if (
     inescapableTransforms.length ||
-    Object.keys(inescapableGlobalLexicals).length
+    Object.keys(inescapableGlobalLexicals).length ||
+    Object.keys(inescapableGlobalProperties).length
   ) {
     CompartmentToUse = wrapInescapableCompartment(
       Compartment,
       inescapableTransforms,
       inescapableGlobalLexicals,
+      inescapableGlobalProperties,
     );
   }
 

diff --git a/packages/import-bundle/test/test-compartment-wrapper.js b/packages/import-bundle/test/test-compartment-wrapper.js
@@ -121,6 +121,8 @@ function check(t, c, odometer, n) {
     { message: /Not available/ },
     `${n} .constructor is tamed`,
   );
+
+  t.is(c.evaluate('WeakMap'), 'replaced');
 }
 
 test('wrap', t => {
@@ -131,10 +133,12 @@ test('wrap', t => {
 
   const inescapableTransforms = [milageTransform];
   const inescapableGlobalLexicals = { getOdometer };
+  const inescapableGlobalProperties = { WeakMap: 'replaced' };
   const WrappedCompartment = wrapInescapableCompartment(
     Compartment,
     inescapableTransforms,
     inescapableGlobalLexicals,
+    inescapableGlobalProperties,
   );
   const endowments = { console };
   const c1 = new WrappedCompartment(endowments);