Another complication is that V8 currently doesn’t throw early (“parse”) errors for regular expression literals (issue 896 <https://bugs.chromium.org/p/v8/issues/detail?id=896>). This would have to be resolved before we can accurately validate whether a given input is valid JS or not.
On Thu, Aug 12, 2021 at 9:31 AM 'Hannes Payer' via v8-dev < v8-dev@googlegroups.com> wrote: > Hi Lukasz, > > To understand your question correctly: You want an API which returns true > if the JavaScript input is valid, right? > > I think this surgery should be possible but I am deferring to the parser > owners. @Leszek Swirski <lesz...@google.com> @Toon Verwaest > <verwa...@google.com> WDYT? Maybe that's even a nice testing mode for JS > language features. > > The parser is quite complicated which is a problem from a security > perspective. That's a Rule-of-2 violation. > > -Hannes > > On Wed, Aug 11, 2021 at 9:21 PM 'Łukasz Anforowicz' via v8-dev < > v8-dev@googlegroups.com> wrote: > >> Hello v8-dev@, >> >> Could you please help me with my questions below (related to parsing >> Javascript)? Please let me know if I should try another email alias >> instead (I wasn't quite sure where to start asking questions). >> >> Context: >> >> - ORB proposes <https://github.com/annevk/orb> to parse a HTTP >> response body to verify if it can be parsed as Javascript (blocking >> no-cors >> HTTP responses if the response body doesn't represent Javascript, because >> earlier ORB steps have already verified that the response doesn't >> represent >> other valid no-cors scenarios like audio/image/video/stylesheet/etc). >> - AFAICT, public v8 APIs provide a way to compile a script >> (e.g. v8::ScriptCompiler::CompileUnboundScript which takes a string as >> input, and a v8::ScriptCompiler::StartStreaming which takes a stream as >> input). OTOH, v8/src/parsing/parser.cc doesn't seem to be exposed via the >> public API. >> >> Questions: >> >> - *Would it be possible and/or reasonable to provide a public v8 API >> for checking if a stream can be parsed as Javascript?* >> - Assumption: No cache integration is needed (the parsing will >> happen outside of a renderer process; no compilation will be done). >> - Requirement: For JSON, the parser should indicate that this is >> not a valid Javascript (e.g. for JSON objects + for JSON lists that >> terminate without invoking any list methods) >> - I am happy to tackle this work, but I may need some guidance and >> hand-holding regarding some of the details. >> - *Is it fair to describe Javascript parsing as risky from a security >> perspective?* (e.g. something to avoid in a NetworkService process >> and consider doing in a Utility process instead) >> - On one hand, the input is a text stream (no binary offsets) and >> the output is just a boolean (definitely-not-a-Javascript VS >> the-prefix-still-parses-as-Javascript). And I imagine that the >> essence of >> the parser just mechanically transcribes the BNF rules for Javascript. >> OTOH, parsers can get fairly complex, and so it seems that the act of >> parsing might be seen as violating the Rule-of-2 >> >> <https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/rule-of-2.md> >> . >> >> -- >> Thanks, >> >> Lukasz >> >> -- >> -- >> v8-dev mailing list >> v8-dev@googlegroups.com >> http://groups.google.com/group/v8-dev >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/v8-dev/d4dd45ff-3b73-4d4b-883d-d2e8ba4123e7n%40googlegroups.com >> <https://groups.google.com/d/msgid/v8-dev/d4dd45ff-3b73-4d4b-883d-d2e8ba4123e7n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > > > Hannes Payer | V8 | Google Germany GmbH | Erika-Mann Str. 33, 80636 > München > > Registergericht und -nummer: Hamburg, HRB 86891 | Sitz der Gesellschaft: > Hamburg | Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle > > -- > -- > v8-dev mailing list > v8-dev@googlegroups.com > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to the Google Groups > "v8-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to v8-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-dev/CAKEgpyHrQ8tzyh%3D3RF58ww9bXbSZ%2BFO9ukGodgJcdb_tHom%3DXA%40mail.gmail.com > <https://groups.google.com/d/msgid/v8-dev/CAKEgpyHrQ8tzyh%3D3RF58ww9bXbSZ%2BFO9ukGodgJcdb_tHom%3DXA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CADizRgbND4szVdtmoUqTSwvr%3DduwB9SANRN8tAysxa9kONsHLA%40mail.gmail.com.
