fix(lockdown): Disable domain taming

Agoric · Jan 5, 2022 · cefdbec · cefdbec
1 parent 78a2575
commit cefdbec
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/packages/lockdown/commit-debug.js b/packages/lockdown/commit-debug.js
@@ -64,4 +64,16 @@ lockdown({
   // this may be a development accident that should be fixed before merging.
   //
   // consoleTaming: 'unsafe',
+
+  // Domain taming causes lockdown to throw an error if the Node.js domain
+  // module has already been loaded, and causes loading the domain module
+  // to throw an error if it is pulled into the working set later.
+  // This is because domains may add domain properties to promises and other
+  // callbacks and that these domain objects provide a means to escape
+  // containment.
+  // However, our platform still depends on systems like standardthings/esm
+  // which ultimately pull in domains.
+  // For now, we are resigned to leave this hole open, knowing that all
+  // contract code will be run under XS to avoid this vulnerability.
+  domainTaming: 'unsafe',
 });
diff --git a/packages/lockdown/pre.js b/packages/lockdown/pre.js
@@ -76,9 +76,17 @@ export const lockdown = defaultOptions => {
       console.error('', err, options);
       throw err;
     }
-    rawLockdown(options);
+    rawLockdown({
+      ...options,
+      // See comment on domainTaming below.
+      domainTaming: 'unsafe',
+    });
   } else if (defaultOptions) {
-    rawLockdown(defaultOptions);
+    rawLockdown({
+      ...defaultOptions,
+      // See comment on domainTaming below.
+      domainTaming: 'unsafe',
+    });
   } else {
     rawLockdown({
       // The default `{errorTaming: 'safe'}` setting, if possible, redacts the
@@ -138,6 +146,18 @@ export const lockdown = defaultOptions => {
       // this may be a development accident that MUST be fixed before merging.
       //
       // consoleTaming: 'unsafe',
+
+      // Domain taming causes lockdown to throw an error if the Node.js domain
+      // module has already been loaded, and causes loading the domain module
+      // to throw an error if it is pulled into the working set later.
+      // This is because domains may add domain properties to promises and other
+      // callbacks and that these domain objects provide a means to escape
+      // containment.
+      // However, our platform still depends on systems like standardthings/esm
+      // which ultimately pull in domains.
+      // For now, we are resigned to leave this hole open, knowing that all
+      // contract code will be run under XS to avoid this vulnerability.
+      domainTaming: 'unsafe',
     });
   }