On Mon, Sep 17, 2018 at 8:32 AM Darien Valentine <[email protected]> wrote:
> Thanks for the context, James. Yes, this thread mainly concerns the issue > of being able to obtain references to values within the handler/target from > external code, though I did try to make a case for not having the showProxy > option in the original issue thread. > > I would also not have thought to call it an “attack” vector. Mark would be > able to say better for sure though. It does make an invariant of the > language violable though. It’s similar to exposing a function which, given > only a function object, may return references to arbitrary values from that > function’s scope. > > It’s similar to exposing a function which, given only a function object, may return references to arbitrary values from that function’s scope. This is an apt comparison. A debugger has access to such info. Likewise, in a secure OS, when one process is able to debug another, the first process can read any data from the address space of the second. There have even been language implementations that were otherwise supposed to be memory safe that had "peek" and "poke" operations for reading and writing arbitrary memory locations from programs in the language. Of course, memory allocators and garbage collectors typically need such access. Whether these are "attacks" or "vulnerabilities" depends on how such permission for debug-level access or peek/poke access is controlled and provided. >From a bit of web searching, I found the following worrisome: https://github.com/nodejs/node/pull/20857 https://github.com/nodejs/node/commit/dadd6e16888baac8fd110432b81f3fd1237be3e1 seemingly in response to https://github.com/nodejs/node/issues/20821 https://github.com/nodejs/node/issues/22671 Making is a public symbol in this manner means it is almost impossible to deny. It is still true that "util" is deniable, so this isn't necessarily fatal. I am not yet oriented enough to understand what the consequences are of suppressing util; but I am worried. -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
