d at domenic.me (2015-05-11T16:44:41.927Z)
On Wed, Apr 29, 2015 at 2:07 PM, Mark S. Miller <erights at google.com> wrote:
> I think your approach is on the right track. How about the
> following?
Assuming that you don't export DefensivePromise to the attacker, this is
fine. Otherwise, I think this is still vulnerable to Reflect.construct
lying about new.target:
```js
class BadPromise extends DefensivePromise {
then(r) { r(); r(); }
}
var bp = Reflect.construct(BadPromise, DefensivePromise);
```
Since it's `Promise.then` you care about, I think the approach in my
previous message (where `then` is tested directly) is preferable.
On Wed, Apr 29, 2015 at 2:07 PM, Mark S. Miller <erights at google.com> wrote: > Hi Scott, I think your approach is on the right track. How about the > following? > > Anyone see a way to attack it? > > > > const goodPromises = new WeakSet(); > class DefensivePromise { > constructor(x) { > super(x); > if (new.target === DefensivePromise) { > Object.freeze(this); > goodPromises.add(this); > } > } > static resolve(x) { > if (goodPromises.has(x)) { > return x; // should be equiv to super.resolve(x); > } > return new DefensivePromise(r => {r(x)}); > } > } > Assuming that you don't export DefensivePromise to the attacker, this is fine. Otherwise, I think this is still vulnerable to Reflect.construct lying about new.target: ``` class BadPromise extends DefensivePromise { then(r) { r(); r(); } } var bp = Reflect.construct(BadPromise, DefensivePromise); ``` Since it's `Promise.then` you care about, I think the approach in my previous message (where `then` is tested directly) is preferable. --scott -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150429/2106bc60/attachment.html>