Context Navigation

← Previous Changeset
Next Changeset →

Changeset 202460 in webkit

Timestamp:

Jun 24, 2016 4:34:45 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

[JSC] Error prototypes are called on remote scripts.
https://bugs.webkit.org/show_bug.cgi?id=52192

Reviewed by Keith Miller.

Source/JavaScriptCore:

Added a sanitizedToString() to the Error instance object so that it can be used
to get an error string without invoking getters and proxies.

runtime/ErrorInstance.cpp:

(JSC::ErrorInstance::finishCreation):
(JSC::ErrorInstance::sanitizedToString):

runtime/ErrorInstance.h:

(JSC::ErrorInstance::createStructure):
(JSC::ErrorInstance::runtimeTypeForCause):
(JSC::ErrorInstance::clearRuntimeTypeForCause):

Source/WebCore:

Test: http/tests/security/regress-52192.html

Parsing errors are reported to the main script's window.onerror function. AFAIK,
both Chrome and Firefox have the error reporting mechanism use an internal
sanitized version of Error.prototype.toString() that will not invoke any getters
or proxies instead.

This patch fixes this issue by matching Chrome and Firefox's behavior.

Note: we did not choose to make error objects and prototypes read-only because
that was observed to have broken the web.
See https://bugs.chromium.org/p/chromium/issues/detail?id=69187#c73

Credit for reporting this issue goes to Daniel Divricean (http://divricean.ro).

bindings/js/JSDOMBinding.cpp:

(WebCore::reportException):

ForwardingHeaders/runtime/ErrorInstance.h: Added.

LayoutTests:

The added test will test the following combinations of factors:

Explicitly throwing an error of each of the types of JS errors i.e. Error, EvalError, RangeError, ReferenceError, SyntaxError, TypeError, URIError.
Validating that the error received in window.onerror does not leak any info.
Validating that the 'name' and 'toString' getters set on the error prototype object does not get invoked for creating the error message to be passed to window.error.

http/tests/security/regress-52192-expected.txt: Added.
http/tests/security/regress-52192.html: Added.
http/tests/security/resources/regress-52192-syntax-error.js: Added.
http/tests/security/resources/regress-52192-throw-error.js: Added.

(catch):

Location:

trunk

Files:

: 5 added
: 6 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/http/tests/security/regress-52192-expected.txt (added)
LayoutTests/http/tests/security/regress-52192.html (added)
LayoutTests/http/tests/security/resources/regress-52192-syntax-error.js (added)
LayoutTests/http/tests/security/resources/regress-52192-throw-error.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/ErrorInstance.cpp (modified) (2 diffs)
Source/JavaScriptCore/runtime/ErrorInstance.h (modified) (3 diffs)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/ForwardingHeaders/runtime/ErrorInstance.h (added)
Source/WebCore/bindings/js/JSDOMBinding.cpp (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r202456
+                      r202460
+-06-24  Mark Lam  <mark.lam@apple.com>
+        [JSC] Error prototypes are called on remote scripts.
+        https://bugs.webkit.org/show_bug.cgi?id=52192
+        Reviewed by Keith Miller.
+        The added test will test the following combinations of factors:
+. Explicitly throwing an error of each of the types of JS errors i.e.
+           Error, EvalError, RangeError, ReferenceError, SyntaxError, TypeError, URIError.
+. Validating that the error received in window.onerror does not leak any info.
+. Validating that the 'name' and 'toString' getters set on the error prototype
+           object does not get invoked for creating the error message to be passed to
+           window.error.
+        * http/tests/security/regress-52192-expected.txt: Added.
+        * http/tests/security/regress-52192.html: Added.
+        * http/tests/security/resources/regress-52192-syntax-error.js: Added.
+        * http/tests/security/resources/regress-52192-throw-error.js: Added.
+        (catch):
 -06-24  Myles C. Maxfield  <mmaxfield@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r202458
+                      r202460
+-06-24  Mark Lam  <mark.lam@apple.com>
+        [JSC] Error prototypes are called on remote scripts.
+        https://bugs.webkit.org/show_bug.cgi?id=52192
+        Reviewed by Keith Miller.
+        Added a sanitizedToString() to the Error instance object so that it can be used
+        to get an error string without invoking getters and proxies.
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+        (JSC::ErrorInstance::sanitizedToString):
+        * runtime/ErrorInstance.h:
+        (JSC::ErrorInstance::createStructure):
+        (JSC::ErrorInstance::runtimeTypeForCause):
+        (JSC::ErrorInstance::clearRuntimeTypeForCause):
 -06-24  Commit Queue  <commit-queue@webkit.org>

trunk/Source/JavaScriptCore/runtime/ErrorInstance.cpp

-                      r201830
+                      r202460
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
  *  Copyright (C) 2003, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2008, 2016 Apple Inc. All rights reserved.
+ *
  *  This library is free software; you can redistribute it and/or
 …
+    }
+}
+// Based on ErrorPrototype's errorProtoFuncToString(), but is modified to
+// have no observable side effects to the user (i.e. does not call proxies,
+// and getters).
+String ErrorInstance::sanitizedToString(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSValue nameValue;
+    auto namePropertName = vm.propertyNames->name;
+    PropertySlot nameSlot(this, PropertySlot::InternalMethodType::VMInquiry);
+    JSValue currentObj = this;
+    unsigned prototypeDepth = 0;
+    // We only check the current object and its prototype (2 levels) because normal
+    // Error objects may have a name property, and if not, its prototype should have
+    // a name property for the type of error e.g. "SyntaxError".
+    while (currentObj.isCell() && prototypeDepth++ < 2) {
+        JSObject* obj = jsCast<JSObject*>(currentObj);
+        if (JSObject::getOwnPropertySlot(obj, exec, namePropertName, nameSlot) && nameSlot.isValue()) {
+            nameValue = nameSlot.getValue(exec, namePropertName);
+            break;
+        }
+        currentObj = obj->getPrototypeDirect();
+    }
+    ASSERT(!vm.exception());
+    String nameString;
+    if (!nameValue)
+        nameString = ASCIILiteral("Error");
+    else {
+        nameString = nameValue.toString(exec)->value(exec);
+        if (vm.exception())
+            return String();
+    }
+    JSValue messageValue;
+    auto messagePropertName = vm.propertyNames->message;
+    PropertySlot messageSlot(this, PropertySlot::InternalMethodType::VMInquiry);
+    if (JSObject::getOwnPropertySlot(this, exec, messagePropertName, messageSlot) && messageSlot.isValue())
+        messageValue = messageSlot.getValue(exec, messagePropertName);
+    ASSERT(!vm.exception());
+    String messageString;
+    if (!messageValue)
+        messageString = String();
+    else {
+        messageString = messageValue.toString(exec)->value(exec);
+        if (vm.exception())
+            return String();
+    }
+    if (!nameString.length())
+        return messageString;
+    if (!messageString.length())
+        return nameString;
+    StringBuilder builder;
+    builder.append(nameString);
+    builder.append(": ");
+    builder.append(messageString);
+    return builder.toString();
+}
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/ErrorInstance.h

-                      r182495
+                      r202460
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
  *  Copyright (C) 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2008, 2016 Apple Inc. All rights reserved.
+ *
  *  This library is free software; you can redistribute it and/or
 …
     typedef String (*SourceAppender) (const String& originalMessage, const String& sourceText, RuntimeType, SourceTextWhereErrorOccurred);
     DECLARE_INFO;
+    DECLARE_EXPORT_INFO;
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
 …
     void clearRuntimeTypeForCause() { m_runtimeTypeForCause = TypeNothing; }
+    JS_EXPORT_PRIVATE String sanitizedToString(ExecState*);
 protected:
     explicit ErrorInstance(VM&, Structure*);

trunk/Source/WebCore/ChangeLog

-                      r202459
+                      r202460
+-06-24  Mark Lam  <mark.lam@apple.com>
+        [JSC] Error prototypes are called on remote scripts.
+        https://bugs.webkit.org/show_bug.cgi?id=52192
+        Reviewed by Keith Miller.
+        Test: http/tests/security/regress-52192.html
+        Parsing errors are reported to the main script's window.onerror function.  AFAIK,
+        both Chrome and Firefox have the error reporting mechanism use an internal
+        sanitized version of Error.prototype.toString() that will not invoke any getters
+        or proxies instead.
+        This patch fixes this issue by matching Chrome and Firefox's behavior.
+        Note: we did not choose to make error objects and prototypes read-only because
+        that was observed to have broken the web.
+        See https://bugs.chromium.org/p/chromium/issues/detail?id=69187#c73
+        Credit for reporting this issue goes to Daniel Divricean (http://divricean.ro).
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::reportException):
+        * ForwardingHeaders/runtime/ErrorInstance.h: Added.
 -06-24  Jer Noble  <jer.noble@apple.com>

trunk/Source/WebCore/bindings/js/JSDOMBinding.cpp

-                      r202023
+                      r202460
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2013 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2011, 2013, 2016 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Samuel Weinig <sam@webkit.org>
  *  Copyright (C) 2013 Michael Pruett <michael@68k.org>
 …
 #include <runtime/Error.h>
 #include <runtime/ErrorHandlingScope.h>
+#include <runtime/ErrorInstance.h>
 #include <runtime/Exception.h>
 #include <runtime/ExceptionHelpers.h>
 …
     String errorMessage;
+    if (ExceptionBase* exceptionBase = toExceptionBase(exception->value()))
+    JSValue exceptionValue = exception->value();
+    if (ExceptionBase* exceptionBase = toExceptionBase(exceptionValue))
         errorMessage = exceptionBase->message() + ": "  + exceptionBase->description();
     else {
         // FIXME: <http://webkit.org/b/115087> Web Inspector: WebCore::reportException should not evaluate JavaScript handling exceptions
         // If this is a custom exception object, call toString on it to try and get a nice string representation for the exception.
+        errorMessage = exception->value().toString(exec)->value(exec);
+        if (ErrorInstance* error = jsDynamicCast<ErrorInstance*>(exceptionValue))
+            errorMessage = error->sanitizedToString(exec);
+        else
+            errorMessage = exceptionValue.toString(exec)->value(exec);
         // We need to clear any new exception that may be thrown in the toString() call above.

Note: See TracChangeset for help on using the changeset viewer.