Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revisit behavior of has proxy trap in safe evaluator’s terminal scope #1305

Open
kriskowal opened this issue Sep 29, 2022 · 5 comments
Open

Revisit behavior of has proxy trap in safe evaluator’s terminal scope #1305

kriskowal opened this issue Sep 29, 2022 · 5 comments
Assignees
@kriskowal @mhofman @erights
Labels
confinement Pertaining to confinement of guest programs. kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024 metamask

Comments

@kriskowal
Copy link
Member

The has trap in the safe evaluator’s terminal scope proxy (before and after #1293) leaks the presence or absence of properties on the realm’s intrinsic global object. The current behavior might be the optimal compromise, but we should revisit the possibility of making has always return true to fully blot out the parent scope. @kumavis’s preliminary investigation suggests that this would break too much existing usage. We should isolate the cases that this change would break and evaluate next steps.
@kriskowal kriskowal mentioned this issue Sep 29, 2022
Merged
2 tasks
@kumavis
Copy link
Member

kumavis commented Oct 5, 2022

we also noted that "scuttling the realm global" could change the behavior of code running inside a compartment due to this info leak

@erights erights added the confinement Pertaining to confinement of guest programs. label Oct 7, 2022
@erights
Copy link
Contributor

erights commented Oct 7, 2022

Added the security label because of the information leak.

@kriskowal
Copy link
Member Author

Since we last discussed this, Scuttling the realm global has become a normal practice for MetaMask. @kumavis Did that shift make patching the leak more viable?

@kriskowal kriskowal added the kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024 label Jan 8, 2024
@kumavis
Copy link
Member

kumavis commented Jan 19, 2024
edited
Loading

@weizman did we see any change in behavior / bugs introduced to lavamoat confined code under scuttling?

"making has always return true" does seem like the safest behavior

typeof xyz will not throw, will be "undefined" and Reflect.has(globalThis, 'xyz') will be false bc it is now a normal object. this seems like the best situation.

the following code will break: code relying on utterance of non-existing global variables to throw an error. seems rare. if you find some ill buy you a chocolate bar 🍫

my recommendation: lets make the change in SES! especially when we're lined up for a breaking change

@weizman
Copy link
Contributor

weizman commented Jan 19, 2024

No, none

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kriskowal kriskowal

@mhofman mhofman

@erights erights

Labels
confinement Pertaining to confinement of guest programs. kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024 metamask
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kriskowal @mhofman @erights @kumavis @weizman