Subclassing ES6 objects with ES5 syntax.
Mark S. Miller
erights at google.com
Wed Apr 29 18:30:50 UTC 2015
On Wed, Apr 29, 2015 at 11:12 AM, C. Scott Ananian <ecmascript at cscott.net>
wrote:
> On Wed, Apr 29, 2015 at 2:07 PM, Mark S. Miller <erights at google.com>
> wrote:
>
>> Hi Scott, I think your approach is on the right track. How about the
>> following?
>>
>> Anyone see a way to attack it?
>>
>>
>>
>> const goodPromises = new WeakSet();
>> class DefensivePromise {
>> constructor(x) {
>> super(x);
>> if (new.target === DefensivePromise) {
>> Object.freeze(this);
>> goodPromises.add(this);
>> }
>> }
>> static resolve(x) {
>> if (goodPromises.has(x)) {
>> return x; // should be equiv to super.resolve(x);
>> }
>> return new DefensivePromise(r => {r(x)});
>> }
>> }
>>
>
> Assuming that you don't export DefensivePromise to the attacker, this is
> fine. Otherwise, I think this is still vulnerable to Reflect.construct
> lying about new.target:
> ```
> class BadPromise extends DefensivePromise {
> then(r) { r(); r(); }
> }
> var bp = Reflect.construct(BadPromise, DefensivePromise);
> ```
>
Clever. Yes, this attack works.
> Since it's `Promise.then` you care about, I think the approach in my
> previous message (where `then` is tested directly) is preferable.
> --scott
>
As demonstrated, vulnerable to TOCTTOU.
--
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150429/c35bbc27/attachment.html>
More information about the es-discuss
mailing list