Hi Lukasz, To understand your question correctly: You want an API which returns true if the JavaScript input is valid, right?
I think this surgery should be possible but I am deferring to the parser owners. @Leszek Swirski <lesz...@google.com> @Toon Verwaest <verwa...@google.com> WDYT? Maybe that's even a nice testing mode for JS language features. The parser is quite complicated which is a problem from a security perspective. That's a Rule-of-2 violation. -Hannes On Wed, Aug 11, 2021 at 9:21 PM 'Łukasz Anforowicz' via v8-dev < v8-dev@googlegroups.com> wrote: > Hello v8-dev@, > > Could you please help me with my questions below (related to parsing > Javascript)? Please let me know if I should try another email alias > instead (I wasn't quite sure where to start asking questions). > > Context: > > - ORB proposes <https://github.com/annevk/orb> to parse a HTTP > response body to verify if it can be parsed as Javascript (blocking no-cors > HTTP responses if the response body doesn't represent Javascript, because > earlier ORB steps have already verified that the response doesn't represent > other valid no-cors scenarios like audio/image/video/stylesheet/etc). > - AFAICT, public v8 APIs provide a way to compile a script > (e.g. v8::ScriptCompiler::CompileUnboundScript which takes a string as > input, and a v8::ScriptCompiler::StartStreaming which takes a stream as > input). OTOH, v8/src/parsing/parser.cc doesn't seem to be exposed via the > public API. > > Questions: > > - *Would it be possible and/or reasonable to provide a public v8 API > for checking if a stream can be parsed as Javascript?* > - Assumption: No cache integration is needed (the parsing will > happen outside of a renderer process; no compilation will be done). > - Requirement: For JSON, the parser should indicate that this is > not a valid Javascript (e.g. for JSON objects + for JSON lists that > terminate without invoking any list methods) > - I am happy to tackle this work, but I may need some guidance and > hand-holding regarding some of the details. > - *Is it fair to describe Javascript parsing as risky from a security > perspective?* (e.g. something to avoid in a NetworkService process > and consider doing in a Utility process instead) > - On one hand, the input is a text stream (no binary offsets) and > the output is just a boolean (definitely-not-a-Javascript VS > the-prefix-still-parses-as-Javascript). And I imagine that the essence > of > the parser just mechanically transcribes the BNF rules for Javascript. > OTOH, parsers can get fairly complex, and so it seems that the act of > parsing might be seen as violating the Rule-of-2 > > <https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/rule-of-2.md> > . > > -- > Thanks, > > Lukasz > > -- > -- > v8-dev mailing list > v8-dev@googlegroups.com > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to the Google Groups > "v8-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to v8-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-dev/d4dd45ff-3b73-4d4b-883d-d2e8ba4123e7n%40googlegroups.com > <https://groups.google.com/d/msgid/v8-dev/d4dd45ff-3b73-4d4b-883d-d2e8ba4123e7n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Hannes Payer | V8 | Google Germany GmbH | Erika-Mann Str. 33, 80636 München Registergericht und -nummer: Hamburg, HRB 86891 | Sitz der Gesellschaft: Hamburg | Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAKEgpyHrQ8tzyh%3D3RF58ww9bXbSZ%2BFO9ukGodgJcdb_tHom%3DXA%40mail.gmail.com.
