Subclassing ES6 objects with ES5 syntax.

Mark S. Miller erights at google.com
Wed Apr 29 18:30:50 UTC 2015


On Wed, Apr 29, 2015 at 11:12 AM, C. Scott Ananian <ecmascript at cscott.net>
wrote:

> On Wed, Apr 29, 2015 at 2:07 PM, Mark S. Miller <erights at google.com>
> wrote:
>
>> Hi Scott, I think your approach is on the right track. How about the
>> following?
>>
>> Anyone see a way to attack it?
>>
>>
>>
>> const goodPromises = new WeakSet();
>> class DefensivePromise {
>>   constructor(x) {
>>     super(x);
>>     if (new.target === DefensivePromise) {
>>       Object.freeze(this);
>>       goodPromises.add(this);
>>     }
>>   }
>>   static resolve(x) {
>>     if (goodPromises.has(x)) {
>>       return x;  // should be equiv to super.resolve(x);
>>     }
>>     return new DefensivePromise(r => {r(x)});
>>   }
>> }
>>
>
> Assuming that you don't export DefensivePromise to the attacker, this is
> fine.  Otherwise, I think this is still vulnerable to Reflect.construct
> lying about new.target:
> ```
> class BadPromise extends DefensivePromise {
>   then(r) { r(); r(); }
> }
> var bp = Reflect.construct(BadPromise, DefensivePromise);
> ```
>

Clever. Yes, this attack works.



> Since it's `Promise.then` you care about, I think the approach in my
> previous message (where `then` is tested directly) is preferable.
>  --scott
>

As demonstrated, vulnerable to TOCTTOU.



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150429/c35bbc27/attachment.html>


More information about the es-discuss mailing list