Re: LibreJS can be bypassed with new Function()

Sat, 09 Sep 2023 19:12:29 -0700 

On Sun 2023-09-10 10:27:34 +1000, Yuchen Pei wrote:

> On Sat 2023-09-09 19:24:15 +0100, Ron Nazarov wrote:

>> LibreJS does not consider JavaScript using new Function() non-trivial,
>> so you can bypass it with something similar to this:

>> new Function("<insert non-trivial JavaScript here>")()

>> A demo of this is available at https://361100.xyz/librejs-bypass.html

> Thanks for the report and the demo, I will take a look.

This patch should fix it (also attached inline at the end of this email):

https://git.savannah.gnu.org/cgit/librejs.git/commit/?id=e942bb98325d0a4fdb79cdc75782f065c0289d70

I will sleep on it for a few days, and if nothing new I'll make a new
release.

Meanwhile you can build the patched extension locally and load it as a
temporary addon at about:debugging#/runtime/this-firefox, or set
xpinstall.signatures.required to false if you are using developer
edition/esr and want it to persist across sessions, see also
<https://ypei.org/posts/2023-08-14-emacsify-firefox-init.html>.

> [... 8 lines elided]


From e942bb98325d0a4fdb79cdc75782f065c0289d70 Mon Sep 17 00:00:00 2001
From: Yuchen Pei <[email protected]>
Date: Sun, 10 Sep 2023 12:02:37 +1000
Subject: [PATCH] Fixing bypassing Function("...").

It is similar to eval(). See,
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function

As a prior art, another extension did the blank ban of Function():
https://addons.mozilla.org/en-US/firefox/addon/noeval-disable-eval/

So let's ban it as well.

Bug reported at
https://lists.gnu.org/archive/html/bug-librejs/2023-09/msg00000.html
---
 common/fname_data.json | 2 +-
 manifest.json          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/fname_data.json b/common/fname_data.json
index 5606007..38652d6 100644
--- a/common/fname_data.json
+++ b/common/fname_data.json
@@ -714,7 +714,7 @@
 		"RadioNodeList": true,
 		"KeyframeEffectReadOnly": true,
 		"InstallTrigger": true,
-		"Function": false,
+		"Function": true,
 		"Object": false,
 		"eval": true,
 		"Window": false,
diff --git a/manifest.json b/manifest.json
index 2a7a5f1..73bc918 100644
--- a/manifest.json
+++ b/manifest.json
@@ -2,7 +2,7 @@
   "manifest_version": 2,
   "name": "GNU LibreJS",
   "short_name": "LibreJS",
-  "version": "7.21.0",
+  "version": "7.21.1",
   "author": "various",
   "description": "Only allows free and/or trivial Javascript to run.",
   "applications": {
-- 
2.42.0


Best,
Yuchen

--
Timezone: UTC+10
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
          <https://ypei.org/assets/ypei-pubkey.txt>

Attachment: signature.asc
Description: PGP signature

Reply via email to