refactor(ses)!: Divide safe evaluator scope stack into four layers

[kumavis]

multilayered scope stack, or "the four backflips of the apotheosis" 🏇 🤸 🧙

description

instead of with(complicatedScopeProxy){ ... }, we now have the following scope stack (outermost to innermost, lowest takes precedence):

• scopeTerminator {security, fidelity} (always return undefined, if sloppyGlobalsMode is true, sets happen on globalObject)
• globalObject {fidelity} (bare)
• globalLexicals {fidelity} (bare)
• evalScope {security} (obj with FERAL_EVAL exposed as eval only once)

behavioural changes

this refactor introduces some changed behavior:

• globalLexicals object can be leaked if a special lexical is crafted (should not be craftable by evaluated code)
• setting a correctly formatted Symbol.unscopables property on the evaluator globalObject will cause the globals configured by Symbol.unscopables to not be in scope. this is a shim fidelity issue and not a security issue as the scopeTerminator is not affected.
• fixes a bug where sloppyGlobal assignment is allowed in non-sloppyGlobalsMode when a property does not exist on the compartment but does exist on the realm globalThis

other notes

• attempts to adapt test-scope-handler test to use makeSafeEvaluator and test the whole scope stack, but its not a great match and a lot had to be changed
• adds a failing test test-scope-handler-pollution because the test's prototype pollution broke the makeSafeEvaluator internals
• changed a couple tests to match behavioral changes

things to revisit after this PR

• leak of presence of properties on globalThis with strict-scope-terminator Revisit behavior of has proxy trap in safe evaluator’s terminal scope #1305
• consider adding another lexical layer to differentiate between moduleScope and globalLexicals to limit impact of a leak Module shims lexicals leak internal live bindings object #912

[mhofman]

Some preliminary observations.

I'm having a hard time reviewing the tests because of the combined rename + modifications past the diff threshold. Would appreciate a minimal rename and separate modification to the tests

[kumavis]

my biggest regret is that the diff is a bit difficult to review, but I think the result is easy to review and audit

@mhofman the test-scope.js file (previously test-scope-handler.js) was changed pretty dramatically bc it tested behavior about the full scope stack but in very low level ways. I did my best to rework the tests against the safeEvaluator level but observing scope behavior at this level meant different checks and results. The new test file is somewhat haphazard and very different from the original so reviewing a diff from the previous test is perhaps not particularly useful. However I still thought having a test tracking the behavior was useful. Additionally all observed changes to behavior are enumerated in the top comment of this pr.

[kumavis]

split the scopeTerminator into a reuseable strict and per-evaluator sloppyGlobals version

[naugtur]

What's preventing us from adding a noop setter on globalThis[Symbol.unscopables] ?
Would that be too much intervention?

[kumavis]

hmm we could do that

[kriskowal]

I think it’s worth the loss in fidelity to prevent leaking the terminal scope proxy. What do you think, @erights?

[kumavis]

there is no known way to leak the scope terminator proxy. @naugtur's suggestion just prevents the "compartment global var not in scope" fidelity issue. from the pr top comment:

setting a correctly formatted Symbol.unscopables property on the evaluator globalObject will cause the therein configured globals to not be in scope. this is a shim fidelity issue and not a security issue as the scopeTerminator is not affected.

[erights]

What loss of fidelity are we talking about? The

noop setter on globalThis[Symbol.unscopables] ?

?
And in exchange we would no longer leak a scope proxy? Yes, worth it!

[kumavis]

What loss of fidelity are we talking about?

setting a correctly formatted Symbol.unscopables property on the evaluator globalObject will cause the globals configured by Symbol.unscopables to not be in scope. this is a shim fidelity issue and not a security issue as the scopeTerminator is not affected.

example:

globalThis.xyz = 123
xyz // => 123
globalThis[Symbol.unscopables] = { xyz: true }
xyz //=> undefined

And in exchange we would no longer leak a scope proxy? Yes, worth it!

there is no known way to leak a scope proxy in this PR's implementation

[erights]

I reread the conversation and understand that my previous response did not make sense.

I think the fidelity issue here cuts both ways, with no choice being strictly better fidelity than the other. The fidelity issue is also minor, as it is unlikely to be encountered by accident, and it is unlikely to be exploitable by an attacker. When faced with such a choice, the next question is: Which lack of fidelity fails safe?

I think giving the global object a Symbol.unscopables non-configurable accessor without a setter, or whose setter always throws, means that any program that does not cause an error to be thrown will work the same under the shim and under a native implementation.

Unresolving.

[mhofman]

If we decide to install a Symbol.unscopables on the globalThis, it should be a configurable (to allow a program to change it through defineProperty if really needed) inert accessor (to avoid assignment errors). I don't believe it should be a non-writable undefined value, or a throwing setter, as programs with such assignments would end up throwing in strict mode.

[mhofman]

I have erred in my judgement, and have now come around to @erights's suggestion that we install a property with { configurable: false, enumerable: false, set() { assert.fail('Some meaningful message'); } }

[kriskowal]

Appended commit fc8f84b

[kumavis]

I'm having a hard time reviewing the tests because of the combined rename + modifications past the diff threshold. Would appreciate a minimal rename and separate modification to the tests

@mhofman makes sense - though im not sure how to accomplish this. can someone provide some suggestions on how to improve the legibility of the diff? my gitfoo is not amazing. and i dont think its possible to make a minimal modification to the test-scope.js tests

[kriskowal]

@kumavis One way to satisfy @mhofman’s concern would be to either create or refer to tests that cover all the security behaviors of the collective scopes that pass both before and after this refactor, since the unit tests cut too closely to the particulars of the implementations before and after. If that requires new tests, we could land them in another PR before so we’re sure they passed before this change, and also highlight any deliberate behavior changes in this PR.

[mhofman]

Intermediate review

[kriskowal]

@mhofman @erights I’d like to land this without the fifth with block, without fixing the global lexicals leak (#912), and then proceed to work on that fix myself after this has landed.

[erights]

@mhofman @erights I’d like to land this without the fifth with block, without fixing the global lexicals leak (#912), and then proceed to work on that fix myself after this has landed.

Fine with me.

[mhofman]

Since the leak is no worse than what we have today, find by me too.

[erights]

While I did not spot anything alarming, I did not give it a careful enough review to approve it on that basis alone. However, it's gotten good examination that I've followed and two approvals. I'm happy to see it merge on that basis, and the only way I can withdraw my "Request changes" is to approve.

So I approve. Good improvements! Onward!

[erights]

Suggested change

	* Given an array of indentifier, the optimizer returns a `const` declaration
	* Given an array of identifiers, the optimizer returns a `const` declaration

[erights]

Suggested change

	// Use 'this' to avoid going through the scope proxy, which is unecessary
	// Use 'this' to avoid going through the scope proxy, which is unnecessary

[erights]

Wondering if we should neuter the evaluator in this case? Maybe something like replacing allowNextEvalToBeUnsafe with a throwing function?

I like that. Unless there's something surprising, I'd say that's worth doing.

[kriskowal]

@erights I’ve appended a commit, 79e77b9, that makes the evalScope revocable. I chose to use a property of the evalScopeKit to communicate the revocation bit (and a wrapper object to guard against throw null) for reasons I explain in a new comment. I’m asking for a review of just this change.

[erights]

The "Revocable evalScope" commit LGTM

[erights]

Suggested change

	// In makeSafeEvaluator, we ensure that we consume at least as many stack
	// frames when granting access to FERAL_EVAL than we consume when we are
	// In makeSafeEvaluator, we ensure that we consume at least as many stack
	// frames when granting access to FERAL_EVAL as we consume when we are

[erights]

Suggested change

	// In this case, there is a plausible but very narrow window of opportunity
	// between defining `oneTimeEvalProperties` on the `evalScope` and when the
	// confined program reaches for the eval property on the `evalScope` through
	// a lexical reference where a program could induce a RangeError that would
	// In this case, there is a plausible but very narrow window of
	// opportunity---between defining `oneTimeEvalProperties` on the `evalScope` and when the
	// confined program reaches for the eval property on the `evalScope` through
	// a lexical reference---where a program could induce a RangeError that would

[erights]

Suggested change

	// prevent the program from reaching `delete evalScope.eval` either here or
	// prevent the program from reaching `delete evalScope.eval`, either here or

Even with the extra punctuation, this is an amazing run-on sentence. Better to rephrase using more smaller sentences ;)

[erights]

Suggested change

	// in the fallback position in `makeSafeEvaluator` where we attempt to delete
	// in the fallback position in `makeSafeEvaluator`, where we attempt to delete

How long is that sentence? ;)

[erights]

Worth noting the non-guaranteed implementation properties we assume in this reasoning that may well be wrong on particular platforms:

• That if stack A has more frames than stack B, where none of these frames are unusual, then stack B will not exceed the stack if stack A did not. May be false depending on the sizes of each frame.
• That function calls in the semantics of the language is an adequate predictor of stack frames. May be false when some of these function calls are inlined or otherwise optimized away --- as we know happens with JITs.
• Have we reexamined our frame-count reasoning in light of the possibility of implementation tail-calling? The ECMAScript std mandates it and JSC actually implements it.

The reason we're ok with this fragile reasoning is that it is only about a backstop that we'd need if all the other relevant mechanisms failed. Nothing will protect against any possible bug we overlooked. Rather, we're only trying for defense in depth, so that multiple improbably things would need to go wrong to create an exploitable vulnerability.

[erights]

Very nice communicating the error through the revocation channel!