I've implemented some fuzzing also for ValueDeserializer and so far have
only found a couple of minor issues (e.g. for some randomized inputs it
seems it is possible for `ValueDeserializer::ReadValue()` to return an
empty `MaybeLocal` without throwing, and sometimes when it does throw
`tryCatch.Exception()` is empty (which we treat as equivalent to
`!tryCatch.CanContinue()`). Beyond that, so far, our fuzzing hasn't found
anything else with `ValueDeserializer`.
I'm far less concerned about `ValueSerializer`, to be honest.
On Thursday, June 29, 2023 at 10:17:43 AM UTC-7 Marja Hölttä wrote:
> I'd say it's "best effort secure".
>
> In some use cases (levelDB), ValueSerializer reads data stored on disk,
> and those bytes could be corrupted. Our intention is that no matter what
> the data is, ValueSerializer should not crash (it should fail gracefully).
> If this is not the case, please file bugs. (However, this invariant has
> turned out to be invalid several times. We've fixed all bugs we're aware
> of, but there might be some more lurking here.)
>
> We also have fuzzers which exercise it via the d8 serializer API, roughly
> like this:
> data = d8.serializer.serialize(some_object);
> data[some_index] = something else;
> d8.serializer.deserialize(data);
>
> However, ValueSerializer is not fuzzed and tested as thoroughly as our
> general JavaScript execution parts of V8, so, I wouldn't regard it equally
> secure. Use at your own risk.
>
>
>
> On Thu, Jun 29, 2023 at 4:39 PM 'James Snell' via v8-dev <
> v8-...@googlegroups.com> wrote:
>
>> Oh, and to be clear, our intent here is to implement the same API that
>> Node.js currently exposes.
>>
>> ```
>> import { serialize, deserialize } from 'node:v8';
>>
>> const data = serialize({ a: 'foo' });
>> const value = deserialize(data);
>> ```
>>
>> ```
>> import { Serializer, Deserializer } from 'node:v8';
>>
>> const ser = new Serializer();
>> ser.writeHeader();
>> ser.writeValue({ a: 'foo' });
>>
>> const des = new Deserializer(ser.releaseBuffer());
>> des.readHeader();
>> console.log(des.readValue());
>> ```
>>
>>
>> On Thursday, June 29, 2023 at 7:28:44 AM UTC-7 Kenton Varda wrote:
>>
>>> Hi v8-dev,
>>>
>>> We (Cloudflare Workers team) are wondering how V8 feels about the
>>> security of the ValueDeserializer API. Do you believe it's safe to parse
>>> possibly-malicious input with this? My understanding is that Chrome does
>>> not provide any way to input attacker-controlled bytes to the API today, so
>>> wasn't sure if it's designed for that.
>>>
>>> I ask because we'd like to expose V8 serialization in Cloudflare Workers
>>> for compatibility with Node.js, which already exposes this. But our threat
>>> model is very different from Node, such that we care a lot more about the
>>> security of the V8 sandbox.
>>>
>>> Relatedly, is ValueDeserializer covered by fuzzing today?
>>>
>>> Thanks,
>>> -Kenton
>>>
>> --
>> --
>> v8-dev mailing list
>> v8-...@googlegroups.com
>> http://groups.google.com/group/v8-dev
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "v8-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to v8-dev+un...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/v8-dev/d468377d-1f45-40eb-ba75-06d519fbe609n%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/v8-dev/d468377d-1f45-40eb-ba75-06d519fbe609n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> --
>
> Google Germany GmbH
>
> Erika-Mann-Straße 33
>
> 80636 München
>
>
> Geschäftsführer: Paul Manicle, Liana Sebastian.
>
> Registergericht und -nummer: Hamburg, HRB 86891
>
> Sitz der Gesellschaft: Hamburg
>
>
> Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten
> haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter,
> löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen,
> dass die E-Mail an die falsche Person gesendet wurde.
>
>
>
> This e-mail is confidential. If you received this communication by
> mistake, please don't forward it to anyone else, please erase all copies
> and attachments, and please let me know that it has gone to the wrong
> person.
>
>
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/v8-dev/c5470ddf-0098-46ff-9ae5-a9767de6bc0en%40googlegroups.com.
