Changeset 248494 in webkit

Timestamp:

Aug 9, 2019 6:20:22 PM (5 years ago)

Author:

ysuzuki@apple.com

Message:

Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
​https://bugs.webkit.org/show_bug.cgi?id=199864

Reviewed by Saam Barati.

Source/JavaScriptCore:

Our JSObject::put implementation is not correct in term of the spec. Our Put? implementation is something like this.

JSObject::put(object):

if (can-do-fast-path(object))

return fast-path(object);

slow-path
do {

object-put-check-and-setter-calls(object); (1)
object = object->prototype;

} while (is-object(object));
return do-put(object);

Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding
extra checks to this put.

Derived::put(object):

if (do-extra-check(object))

fail

return JSObject::put(object)

The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing Prototype? in
JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if object is Derived one. This means that
we skip the check.

Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to
perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot
does not propagate setter information. This is required to cache cacheable Put? at (1) for CustomValue, CustomAccessor, and
Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves
large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot.

To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects
that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject.
When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks.

Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1].

[1]: ​https://bugs.webkit.org/show_bug.cgi?id=200562

• runtime/ClassInfo.h:
• runtime/JSCJSValue.cpp:

(JSC::JSValue::putToPrimitive):

• runtime/JSCell.cpp:

(JSC::JSCell::doPutPropertySecurityCheck):

• runtime/JSCell.h:
• runtime/JSObject.cpp:

(JSC::JSObject::putInlineSlow):
(JSC::JSObject::getOwnPropertyDescriptor):

• runtime/JSObject.h:

(JSC::JSObject::doPutPropertySecurityCheck):

• runtime/JSTypeInfo.h:

(JSC::TypeInfo::hasPutPropertySecurityCheck const):

Source/WebCore:

Test: http/tests/security/cross-frame-access-object-put-optimization.html

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::doPutPropertySecurityCheck):

• bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::doPutPropertySecurityCheck):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• bindings/scripts/test/JS/JSTestActiveDOMObject.h:

LayoutTests:

• http/tests/security/cross-frame-access-object-put-optimization-expected.txt: Added.
• http/tests/security/cross-frame-access-object-put-optimization.html: Added.
• http/tests/security/resources/cross-frame-iframe-for-object-put-optimization-test.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-object-put-optimization-expected.txt (added)
• LayoutTests/http/tests/security/cross-frame-access-object-put-optimization.html (added)
• LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-put-optimization-test.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/ClassInfo.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSCJSValue.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSCell.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSTypeInfo.h (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSLocationCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-08-09  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
+        https://bugs.webkit.org/show_bug.cgi?id=199864
+
+        Reviewed by Saam Barati.
+
+        * http/tests/security/cross-frame-access-object-put-optimization-expected.txt: Added.
+        * http/tests/security/cross-frame-access-object-put-optimization.html: Added.
+        * http/tests/security/resources/cross-frame-iframe-for-object-put-optimization-test.html: Added.
+
 2019-08-09  Ali Juma  <ajuma@chromium.org>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-08-09  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
+        https://bugs.webkit.org/show_bug.cgi?id=199864
+
+        Reviewed by Saam Barati.
+
+        Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this.
+
+            JSObject::put(object):
+                if (can-do-fast-path(object))
+                    return fast-path(object);
+                // slow-path
+                do {
+                    object-put-check-and-setter-calls(object); // (1)
+                    object = object->prototype;
+                } while (is-object(object));
+                return do-put(object);
+
+        Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding
+        extra checks to this put.
+
+            Derived::put(object):
+                if (do-extra-check(object))
+                    fail
+                return JSObject::put(object)
+
+        The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in
+        JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that
+        we skip the check.
+
+        Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to
+        perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot
+        does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and
+        Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves
+        large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot.
+
+        To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects
+        that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject.
+        When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks.
+
+        Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1].
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=200562
+
+        * runtime/ClassInfo.h:
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::doPutPropertySecurityCheck):
+        * runtime/JSCell.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::getOwnPropertyDescriptor):
+        * runtime/JSObject.h:
+        (JSC::JSObject::doPutPropertySecurityCheck):
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::hasPutPropertySecurityCheck const):
+
 2019-08-08  Per Arne Vollan  <pvollan@apple.com>
 

trunk/Source/JavaScriptCore/runtime/ClassInfo.h

@@ -72 +72 @@
     using GetOwnPropertySlotByIndexFunctionPtr = bool (*)(JSObject*, ExecState*, unsigned, PropertySlot&);
     GetOwnPropertySlotByIndexFunctionPtr METHOD_TABLE_ENTRY(getOwnPropertySlotByIndex);
+
+    using DoPutPropertySecurityCheckFunctionPtr = void (*)(JSObject*, ExecState*, PropertyName, PutPropertySlot&);
+    DoPutPropertySecurityCheckFunctionPtr METHOD_TABLE_ENTRY(doPutPropertySecurityCheck);
 
     using ToThisFunctionPtr = JSValue (*)(JSCell*, ExecState*, ECMAMode);
@@ -161 +164 @@
         &ClassName::getOwnPropertySlot, \
         &ClassName::getOwnPropertySlotByIndex, \
+        &ClassName::doPutPropertySecurityCheck, \
         &ClassName::toThis, \
         &ClassName::defaultValue, \

trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp

@@ -163 +163 @@
     JSValue prototype;
     if (propertyName != vm.propertyNames->underscoreProto) {
-        for (; !obj->structure(vm)->hasReadOnlyOrGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
+        while (true) {
+            Structure* structure = obj->structure(vm);
+            if (structure->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || structure->typeInfo().hasPutPropertySecurityCheck())
+                break;
             prototype = obj->getPrototype(vm, exec);
             RETURN_IF_EXCEPTION(scope, false);
@@ -169 +172 @@
             if (prototype.isNull())
                 return typeError(exec, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
+            obj = asObject(prototype);
         }
     }
 
     for (; ; obj = asObject(prototype)) {
+        Structure* structure = obj->structure(vm);
+        if (UNLIKELY(structure->typeInfo().hasPutPropertySecurityCheck())) {
+            obj->methodTable(vm)->doPutPropertySecurityCheck(obj, exec, propertyName, slot);
+            RETURN_IF_EXCEPTION(scope, false);
+        }
         unsigned attributes;
-        PropertyOffset offset = obj->structure(vm)->get(vm, propertyName, attributes);
+        PropertyOffset offset = structure->get(vm, propertyName, attributes);
         if (offset != invalidOffset) {
             if (attributes & PropertyAttribute::ReadOnly)

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -213 +213 @@
 }
 
+void JSCell::doPutPropertySecurityCheck(JSObject*, ExecState*, PropertyName, PutPropertySlot&)
+{
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
 void JSCell::getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode)
 {

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -266 +266 @@
     static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
     static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
+    static NO_RETURN_DUE_TO_CRASH void doPutPropertySecurityCheck(JSObject*, ExecState*, PropertyName, PutPropertySlot&);
 
 private:

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -791 +791 @@
     JSObject* obj = this;
     for (;;) {
+        Structure* structure = obj->structure(vm);
+        if (UNLIKELY(structure->typeInfo().hasPutPropertySecurityCheck())) {
+            obj->methodTable(vm)->doPutPropertySecurityCheck(obj, exec, propertyName, slot);
+            RETURN_IF_EXCEPTION(scope, false);
+        }
         unsigned attributes;
-        PropertyOffset offset = obj->structure(vm)->get(vm, propertyName, attributes);
+        PropertyOffset offset = structure->get(vm, propertyName, attributes);
         if (isValidOffset(offset)) {
             if (attributes & PropertyAttribute::ReadOnly) {
@@ -802 +807 @@
             if (gs.isGetterSetter()) {
                 // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
-                if (!structure(vm)->isDictionary())
+                if (!this->structure(vm)->isDictionary())
                     slot.setCacheableSetter(obj, offset);
 
@@ -3469 +3474 @@
         return false;
 
+
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=200560
+    // This breaks the assumption that getOwnPropertySlot should return "own" property.
+    // We should fix DebuggerScope, ProxyObject etc. to remove this.
+    //
     // DebuggerScope::getOwnPropertySlot() (and possibly others) may return attributes from the prototype chain
     // but getOwnPropertyDescriptor() should only work for 'own' properties so we exit early if we detect that

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -169 +169 @@
     JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
     bool getOwnPropertySlotInline(ExecState*, PropertyName, PropertySlot&);
+    static void doPutPropertySecurityCheck(JSObject*, ExecState*, PropertyName, PutPropertySlot&);
 
     // The key difference between this and getOwnPropertySlot is that getOwnPropertySlot
@@ -1405 +1406 @@
 }
 
+ALWAYS_INLINE void JSObject::doPutPropertySecurityCheck(JSObject*, ExecState*, PropertyName, PutPropertySlot&)
+{
+}
+
 // It may seem crazy to inline a function this large but it makes a big difference
 // since this is function very hot in variable lookup

trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h

@@ -57 +57 @@
 static const unsigned InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero = 1 << 15;
 static const unsigned StructureIsImmortal = 1 << 16;
+static const unsigned HasPutPropertySecurityCheck = 1 << 17;
 
 class TypeInfo {
@@ -97 +98 @@
     bool getOwnPropertySlotIsImpure() const { return isSetOnFlags2(GetOwnPropertySlotIsImpure); }
     bool getOwnPropertySlotIsImpureForPropertyAbsence() const { return isSetOnFlags2(GetOwnPropertySlotIsImpureForPropertyAbsence); }
+    bool hasPutPropertySecurityCheck() const { return isSetOnFlags2(HasPutPropertySecurityCheck); }
     bool newImpurePropertyFiresWatchpoints() const { return isSetOnFlags2(NewImpurePropertyFiresWatchpoints); }
     bool isImmutablePrototypeExoticObject() const { return isSetOnFlags2(IsImmutablePrototypeExoticObject); }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-08-09  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
+        https://bugs.webkit.org/show_bug.cgi?id=199864
+
+        Reviewed by Saam Barati.
+
+        Test: http/tests/security/cross-frame-access-object-put-optimization.html
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::doPutPropertySecurityCheck):
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::JSLocation::doPutPropertySecurityCheck):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+        * bindings/scripts/test/JS/JSTestActiveDOMObject.h:
+
 2019-08-09  Saam Barati  <sbarati@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -267 +267 @@
 }
 
+void JSDOMWindow::doPutPropertySecurityCheck(JSObject* cell, ExecState* state, PropertyName propertyName, PutPropertySlot&)
+{
+    VM& vm = state->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    auto* thisObject = jsCast<JSDOMWindow*>(cell);
+    if (!thisObject->wrapped().frame())
+        return;
+
+    String errorMessage;
+    if (!BindingSecurity::shouldAllowAccessToDOMWindow(*state, thisObject->wrapped(), errorMessage)) {
+        // We only allow setting "location" attribute cross-origin.
+        if (propertyName == static_cast<JSVMClientData*>(vm.clientData)->builtinNames().locationPublicName())
+            return;
+        throwSecurityError(*state, scope, errorMessage);
+        return;
+    }
+}
+
 bool JSDOMWindow::put(JSCell* cell, ExecState* state, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {

trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp

@@ -127 +127 @@
 }
 
+void JSLocation::doPutPropertySecurityCheck(JSObject* object, ExecState* state, PropertyName propertyName, PutPropertySlot&)
+{
+    auto* thisObject = jsCast<JSLocation*>(object);
+    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+
+    VM& vm = state->vm();
+
+    // Always allow assigning to the whole location.
+    // However, alllowing assigning of pieces might inadvertently disclose parts of the original location.
+    // So fall through to the access check for those.
+    if (propertyName == static_cast<JSVMClientData*>(vm.clientData)->builtinNames().hrefPublicName())
+        return;
+
+    // Block access and throw if there is a security error.
+    BindingSecurity::shouldAllowAccessToDOMWindow(state, thisObject->wrapped().window(), ThrowSecurityError);
+}
+
 bool JSLocation::put(JSCell* cell, ExecState* state, PropertyName propertyName, JSValue value, PutPropertySlot& putPropertySlot)
 {

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -2655 +2655 @@
         push(@headerContent, "    static bool getOwnPropertySlotByIndex(JSC::JSObject*, JSC::ExecState*, unsigned propertyName, JSC::PropertySlot&);\n");
         $structureFlags{"JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero"} = 1;
+    }
+
+    if ($interface->extendedAttributes->{CheckSecurity}) {
+        push(@headerContent, "    static void doPutPropertySecurityCheck(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PutPropertySlot&);\n");
+        $structureFlags{"JSC::HasPutPropertySecurityCheck"} = 1;
     }
     

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.h

@@ -40 +40 @@
     static JSC::JSObject* prototype(JSC::VM&, JSDOMGlobalObject&);
     static TestActiveDOMObject* toWrapped(JSC::VM&, JSC::JSValue);
+    static void doPutPropertySecurityCheck(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PutPropertySlot&);
     static void destroy(JSC::JSCell*);
 
@@ -52 +53 @@
     static void heapSnapshot(JSCell*, JSC::HeapSnapshotBuilder&);
 public:
-    static const unsigned StructureFlags = Base::StructureFlags | JSC::HasStaticPropertyTable;
+    static const unsigned StructureFlags = Base::StructureFlags | JSC::HasPutPropertySecurityCheck | JSC::HasStaticPropertyTable;
 protected:
     JSTestActiveDOMObject(JSC::Structure*, JSDOMGlobalObject&, Ref<TestActiveDOMObject>&&);