On Thu, Jun 29, 2023 at 4:28 PM 'Kenton Varda' via v8-dev <[email protected]> wrote: > > Hi v8-dev, > > We (Cloudflare Workers team) are wondering how V8 feels about the security of > the ValueDeserializer API. Do you believe it's safe to parse > possibly-malicious input with this? My understanding is that Chrome does not > provide any way to input attacker-controlled bytes to the API today, so > wasn't sure if it's designed for that. > > I ask because we'd like to expose V8 serialization in Cloudflare Workers for > compatibility with Node.js, which already exposes this. But our threat model > is very different from Node, such that we care a lot more about the security > of the V8 sandbox. > > Relatedly, is ValueDeserializer covered by fuzzing today? > > Thanks, > -Kenton
Single data point but I got paid $15k last year for https://bugs.chromium.org/p/chromium/issues/detail?id=1339648 so on the one hand, it's great it's covered by the VRP program, on the other hand I wasn't even actively looking and still stumbled upon a fairly critical bug. Probably a risky bet in a multi-tenant system like Workers. (I realize "VRP program" is like saying "ATM machine" but I still do it.) -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAHQurc89pAEYYq_zNjiMjEVmdoXmV4Ao39ZfrqhcpCY09mX3SQ%40mail.gmail.com.
