On Scope And Prototype Security

David Bruant bruant.d at gmail.com
Sun Mar 17 08:02:18 PDT 2013


Hi Andrea,

I'm really having a hard time understanding where the security issue is 
here.
 From what I understand, you've properly hidden the "Private" constructor.
I am not surprised if code can reach the [[Prototype]] of an instance 
and I wouldn't consider that a flaw. I would consider that the 
[[Prototype]] is part of the object and accessing the [[Prototype]] is 
like accessing a property or the [[Class]], it's just introspection.

David

Le 17/03/2013 03:04, Andrea Giammarchi a écrit :
> That conversation on `fn. caller` left me many doubts about extra 
> things too.
>
> As example, I understand the fact a function that do not want to be 
> accessed should not be accessed when any accepted object could due 
> tweaked to retrieve it via caller, that's OK, but what about private 
> "classes" and the fact there's no way to ensure them private?
>
> Despite the sense, the good and the bad, this is perfectly valid JS code:
>
> var myNameSpace = function () {
>
>   var queue = [];
>
>   function Private() {
>     this.init();
>   }
>
>   function initBeforeDOM() {
>     queue.push(this);
>   }
>
>   function initAfterDOM() {
>     // do stuff
>   }
>
>   Private.prototype.init = initBeforeDOM;
>   window.addEventListener('DOMContentLoaded', function(){
>     Private.prototype.init = initAfterDOM;
>     queue.forEach(function (instance) {
>       initAfterDOM.call(instance);
>     });
>   });
>
>   // trying to make Private inaccessible
>   Object.defineProperty(
>     Private.prototype,
>     'constructor',
>     {value: Object,
>      enumerable:false,
>      writable:false,
>      configurable:false}
>   );
>
>   return {
>     generate: function () {
>       return new Private;
>     }
>   };
> }();
>
> var o = myNameSpace.generate();
> var proto = Object.getPrototypeOf(o);
> alert(proto.constructor);
> alert(proto.init);
>
> Above code is also based on few concepts I always found cool about JS 
> like the possibility to mutate all objects at once through the 
> prototype, usually considered a bad practice, but technically the 
> best/fastest/memory-safe way we have in JS to create state machines 
> behaviors through distributed instances so ... **way too cool**
>
> Well, I've got a problem, even if the constructor might be 
> unreachable, there is something I cannot secure at all which is the 
> constructor prototype.
>
> Not a single mechanism, in current JS, lets me make a prototype safe 
> from operations, potentially nasty and disastrous, as 
> `Object.getPrototypeOf(generic)` is.
>
> Thoughts? Thanks.


More information about the es-discuss mailing list