d at domenic.me (2015-05-11T16:45:26.574Z)
On Wed, Apr 29, 2015 at 11:12 AM, C. Scott Ananian <ecmascript at cscott.net> wrote: > Assuming that you don't export DefensivePromise to the attacker, this is > fine. Otherwise, I think this is still vulnerable to Reflect.construct > lying about new.target: Clever. Yes, this attack works. > Since it's `Promise.then` you care about, I think the approach in my > previous message (where `then` is tested directly) is preferable. As demonstrated, vulnerable to TOCTTOU.
On Wed, Apr 29, 2015 at 11:12 AM, C. Scott Ananian <ecmascript at cscott.net> wrote: > On Wed, Apr 29, 2015 at 2:07 PM, Mark S. Miller <erights at google.com> > wrote: > >> Hi Scott, I think your approach is on the right track. How about the >> following? >> >> Anyone see a way to attack it? >> >> >> >> const goodPromises = new WeakSet(); >> class DefensivePromise { >> constructor(x) { >> super(x); >> if (new.target === DefensivePromise) { >> Object.freeze(this); >> goodPromises.add(this); >> } >> } >> static resolve(x) { >> if (goodPromises.has(x)) { >> return x; // should be equiv to super.resolve(x); >> } >> return new DefensivePromise(r => {r(x)}); >> } >> } >> > > Assuming that you don't export DefensivePromise to the attacker, this is > fine. Otherwise, I think this is still vulnerable to Reflect.construct > lying about new.target: > ``` > class BadPromise extends DefensivePromise { > then(r) { r(); r(); } > } > var bp = Reflect.construct(BadPromise, DefensivePromise); > ``` > Clever. Yes, this attack works. > Since it's `Promise.then` you care about, I think the approach in my > previous message (where `then` is tested directly) is preferable. > --scott > As demonstrated, vulnerable to TOCTTOU. -- Cheers, --MarkM -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150429/c35bbc27/attachment.html>