+sa...@chromium.org <sa...@chromium.org>, do we have good fuzzing for ValueDeserializer? If not, should we expand it?
On Thu, Jun 29, 2023 at 9:05 PM Ben Noordhuis <i...@bnoordhuis.nl> wrote: > On Thu, Jun 29, 2023 at 4:28 PM 'Kenton Varda' via v8-dev > <v8-dev@googlegroups.com> wrote: > > > > Hi v8-dev, > > > > We (Cloudflare Workers team) are wondering how V8 feels about the > security of the ValueDeserializer API. Do you believe it's safe to parse > possibly-malicious input with this? My understanding is that Chrome does > not provide any way to input attacker-controlled bytes to the API today, so > wasn't sure if it's designed for that. > > > > I ask because we'd like to expose V8 serialization in Cloudflare Workers > for compatibility with Node.js, which already exposes this. But our threat > model is very different from Node, such that we care a lot more about the > security of the V8 sandbox. > > > > Relatedly, is ValueDeserializer covered by fuzzing today? > > > > Thanks, > > -Kenton > > Single data point but I got paid $15k last year for > https://bugs.chromium.org/p/chromium/issues/detail?id=1339648 so on > the one hand, it's great it's covered by the VRP program, on the other > hand I wasn't even actively looking and still stumbled upon a fairly > critical bug. Probably a risky bet in a multi-tenant system like > Workers. > > (I realize "VRP program" is like saying "ATM machine" but I still do it.) > > -- > -- > v8-dev mailing list > v8-dev@googlegroups.com > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to the Google Groups > "v8-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to v8-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-dev/CAHQurc89pAEYYq_zNjiMjEVmdoXmV4Ao39ZfrqhcpCY09mX3SQ%40mail.gmail.com > . > -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAGRskv8JpjRzCs6UEKJG4gtTBEdFW9rMx%2BO5FJZyEYtgRJB00Q%40mail.gmail.com.
