Discuss
  • Property / Literal stealing using Object.defineProperty

Property / Literal stealing using Object.defineProperty

# Bradley Meck (15 years ago)

Has any note been taken to the possibility of hijacking secure data with Object.defineProperty on literals? For example tested in chrome:

Object.defineProperty( Object.prototype, "testSetLiteral", { set:function(value){ console.log(value); } } );

undefined

_={"testSetLiteral":123}

123 {"testSetLiteral":123}

This would lead to interesting issues in using object literals. I would presume, you would need to check if a descriptor is set for every private data property name, or you would need to use "safe" prototypes for things that revolve around private data (branching on object properties or storing private information in a closure for example).

# Allen Wirfs-Brock (15 years ago)

Chrome is non-compliant with the ES5 spec. in this regard.

The specification of object literals in section 11.1.5 uses [[DefineOwnProperty]] to install object literal properties. It is not supposed to trigger any inherited get/set functions.

Try it in FF4 or Safari 5.0.3 or a IE9 preview to see the correct behavior.

# Mark S. Miller (15 years ago)

Now recorded at code.google.com/p/v8/issues/detail?id=1015 Thanks for reporting!

# Mike Shaver (15 years ago)

On Thu, Dec 30, 2010 at 9:15 AM, Allen Wirfs-Brock <allen at wirfs-brock.com> wrote:

Chrome is non-compliant with the ES5 spec. in this regard.

The specification of object literals in section 11.1.5 uses [[DefineOwnProperty]] to install object literal properties.  It is not supposed to trigger any inherited get/set functions.

Try it in FF4 or Safari 5.0.3 or a IE9 preview to see the correct behavior.

Yeah, we actually had to fix this in FF3.5 (2 years ago!) to deal with JSON data leaks based on our getter/setter extensions:

developer.mozilla.org/web-tech/2009/04/29/object-and-array-initializers-should-not-invoke-setters-when-evaluated

Mike