On Wed, Apr 29, 2015 at 2:07 PM, Mark S. Miller <[email protected]> wrote:
> Hi Scott, I think your approach is on the right track. How about the
> following?
>
> Anyone see a way to attack it?
>
>
>
> const goodPromises = new WeakSet();
> class DefensivePromise {
> constructor(x) {
> super(x);
> if (new.target === DefensivePromise) {
> Object.freeze(this);
> goodPromises.add(this);
> }
> }
> static resolve(x) {
> if (goodPromises.has(x)) {
> return x; // should be equiv to super.resolve(x);
> }
> return new DefensivePromise(r => {r(x)});
> }
> }
>
Assuming that you don't export DefensivePromise to the attacker, this is
fine. Otherwise, I think this is still vulnerable to Reflect.construct
lying about new.target:
```
class BadPromise extends DefensivePromise {
then(r) { r(); r(); }
}
var bp = Reflect.construct(BadPromise, DefensivePromise);
```
Since it's `Promise.then` you care about, I think the approach in my
previous message (where `then` is tested directly) is preferable.
--scott
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
