On Wed, Apr 29, 2015 at 11:12 AM, C. Scott Ananian <[email protected]> wrote:
> On Wed, Apr 29, 2015 at 2:07 PM, Mark S. Miller <[email protected]> > wrote: > >> Hi Scott, I think your approach is on the right track. How about the >> following? >> >> Anyone see a way to attack it? >> >> >> >> const goodPromises = new WeakSet(); >> class DefensivePromise { >> constructor(x) { >> super(x); >> if (new.target === DefensivePromise) { >> Object.freeze(this); >> goodPromises.add(this); >> } >> } >> static resolve(x) { >> if (goodPromises.has(x)) { >> return x; // should be equiv to super.resolve(x); >> } >> return new DefensivePromise(r => {r(x)}); >> } >> } >> > > Assuming that you don't export DefensivePromise to the attacker, this is > fine. Otherwise, I think this is still vulnerable to Reflect.construct > lying about new.target: > ``` > class BadPromise extends DefensivePromise { > then(r) { r(); r(); } > } > var bp = Reflect.construct(BadPromise, DefensivePromise); > ``` > Clever. Yes, this attack works. > Since it's `Promise.then` you care about, I think the approach in my > previous message (where `then` is tested directly) is preferable. > --scott > As demonstrated, vulnerable to TOCTTOU. -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
