Re: [v8-users] why can't SetSecurityToken control cross access?

Toon Verwaest Fri, 01 Jun 2018 01:20:17 -0700

If you have two contacts with different security tokens you're only
allowed, as an embedder, to leak explicitly access checked objects between
the two. Hence only objects that are backed by object templates with access
checks.


The reason is that we don't check whether you have access for all objects.
That would be quite expensive especially in the generic case.

Since we've had bugs in the past with objects accidentally leaking anyway,
we've tied down our compiler to check who is trying to compile where.
Otherwise leaking a single object easily leads to full access to the
context of the leaked object through code injection.

Hth

On Fri, Jun 1, 2018 at 9:46 AM Ben Noordhuis <i...@bnoordhuis.nl> wrote:

> On Thu, May 31, 2018 at 3:52 AM,  <fengxing...@gmail.com> wrote:
> > ur... I still can not get it.  In the following modification, I changed
> > object x by scripts.
> >
> > Modification Three:
> >
> > TEST(EvalInAccessCheckedContext) {
> >   v8::Isolate* isolate = CcTest::isolate();
> >   v8::HandleScope scope(isolate);
> >
> >   v8::Local<v8::ObjectTemplate> obj_template =
> > v8::ObjectTemplate::New(isolate);
> >
> >   //obj_template->SetAccessCheckCallback(AccessAlwaysAllowed);
> >
> >   v8::Local<Context> context0 = Context::New(isolate, NULL,
> obj_template);
> >   v8::Local<Context> context1 = Context::New(isolate, NULL,
> obj_template);
> >
> >   Local<Value> foo = v8_str("foo");
> >   Local<Value> bar = v8_str("bar");
> >
> >   // Set to different domains.
> >   context0->SetSecurityToken(foo);
> >   context1->SetSecurityToken(bar);
> >
> >   // Set up function in context0 that uses eval from context0.
> >   context0->Enter();
> >   v8::Local<v8::Value> fun = CompileRun(
> >       "var x = {a:42};"
> >       "(function() {"
> >       "  var e = eval;"
> >       "  return function(s) { return x; }"
> >       "})()");
> >   context0->Exit();
> >
> >   // Put the function into context1 and call it. Since the access check
> >   // callback always returns true, the call succeeds even though the
> tokens
> >   // are different.
> >   context1->Enter();
> >   context1->Global()->Set(context1, v8_str("fun"), fun).FromJust();
> >   v8::Local<v8::Value> x_value = CompileRun("var c = fun('x'); c.a = 43;
> c.b
> > = 45;"); //change x object by scripts
> >   CHECK_EQ(45, x_value->Int32Value(context1).FromJust());
> >   context1->Exit();
> >
> >   context0->Enter();
> >   x_value = CompileRun("x.a");
> >   CHECK_EQ(43, x_value->Int32Value(context0).FromJust()); // change is
> > allowed
> >
> >   x_value = CompileRun("x.b");
> >   CHECK_EQ(45, x_value->Int32Value(context0).FromJust()); // change is
> > allowed
> >   context0->Exit();
> > }
> >
> > Modification Four :
> >
> > TEST(EvalInAccessCheckedContext) {
> >   v8::Isolate* isolate = CcTest::isolate();
> >   v8::HandleScope scope(isolate);
> >
> >   v8::Local<v8::ObjectTemplate> obj_template =
> > v8::ObjectTemplate::New(isolate);
> >
> >   //obj_template->SetAccessCheckCallback(AccessAlwaysAllowed);
> >
> >   v8::Local<Context> context0 = Context::New(isolate, NULL,
> obj_template);
> >   v8::Local<Context> context1 = Context::New(isolate, NULL,
> obj_template);
> >
> >   Local<Value> foo = v8_str("foo");
> >   Local<Value> bar = v8_str("bar");
> >
> >   // Set to different domains.
> >   context0->SetSecurityToken(foo);
> >   context1->SetSecurityToken(bar);
> >
> >   // Set up function in context0 that uses eval from context0.
> >   context0->Enter();
> >   v8::Local<v8::Value> fun = CompileRun(
> >       "var x = 42;"
> >       "var y = function() {return x;};" // y is a function which is set
> up
> > in context0.
> >       "(function() {"
> >       //"  var e = eval;" // this line will fail test
> >       "  var e = y;"  // this line will pass test
> >       "  return function(s) { return e(s); }"
> >       "})()");
> >   context0->Exit();
> >
> >   // Put the function into context1 and call it. Since the access check
> >   // callback always returns true, the call succeeds even though the
> tokens
> >   // are different.
> >   context1->Enter();
> >   context1->Global()->Set(context1, v8_str("fun"), fun).FromJust();
> >   v8::Local<v8::Value> x_value = CompileRun("fun('x');");
> >   CHECK_EQ(42, x_value->Int32Value(context1).FromJust());
> >   context1->Exit();
> > }
> >
> > I also find another test case. In the test case, all operations are
> write by
> > c++ code, and SetSecurityToken can control access.
> >
> > Another test case:
> >
> > THREADED_TEST(MultiContexts) {
> >   v8::Isolate* isolate = CcTest::isolate();
> >   v8::HandleScope scope(isolate);
> >   v8::Local<ObjectTemplate> templ = ObjectTemplate::New(isolate);
> >   templ->Set(v8_str("dummy"),
> >              v8::FunctionTemplate::New(isolate, DummyCallHandler));
> >
> >   Local<String> password = v8_str("Password");
> >   Local<String> password2 = v8_str("Password2"); // another token
> >   // Create an environment
> >   LocalContext context0(0, templ);
> >   context0->SetSecurityToken(password);
> >   v8::Local<v8::Object> global0 = context0->Global();
> >   CHECK(global0->Set(context0.local(), v8_str("custom"), v8_num(1234))
> >             .FromJust());
> >   CHECK_EQ(1234, global0->Get(context0.local(), v8_str("custom"))
> >                      .ToLocalChecked()
> >                      ->Int32Value(context0.local())
> >                      .FromJust());
> >
> >   // Create an independent environment
> >   LocalContext context1(0, templ);
> >   context1->SetSecurityToken(password2);// set another token
> >   v8::Local<v8::Object> global1 = context1->Global();
> >   CHECK(global1->Set(context1.local(), v8_str("custom"), v8_num(1234))
> >             .FromJust());
> >   CHECK(!global0->Equals(context1.local(), global1).FromJust());
> >   CHECK_EQ(1234, global0->Get(context1.local(), v8_str("custom")) // this
> > line will fail if tokens are not matched
> >                      .ToLocalChecked()
> >                      ->Int32Value(context0.local())
> >                      .FromJust());
> >
> > //skip some codes below
> > ...
> > }
>
> Note that you need to set an access check callback to enable access
> checks.  Since you commented out the SetAccessCheckCallback calls,
> they aren't enabled.
>
> --
> --
> v8-users mailing list
> v8-users@googlegroups.com
> http://groups.google.com/group/v8-users
> ---
> You received this message because you are subscribed to the Google Groups
> "v8-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to v8-users+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

Toon Verwaest |  Software Engineer, V8 |  Google Germany GmbH |  Erika-Mann
Str. 33, 80636 München

Registergericht und -nummer: Hamburg, HRB 86891 | Sitz der Gesellschaft:
Hamburg | Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

-- 
-- 
v8-users mailing list
v8-users@googlegroups.com
http://groups.google.com/group/v8-users
--- 
You received this message because you are subscribed to the Google Groups 
"v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [v8-users] why can't SetSecurityToken control cross access?

Reply via email to