Jessie icon indicating copy to clipboard operation
Jessie copied to clipboard
verified publisher icon endojs

`__proto__` attack mitigation

Open michaelfig opened this issue 7 years ago • 3 comments

Hi,

Standard JSON.parse prevents people from injecting __proto__ into the parsed objects, which are all derived from Object. Instead an "own property" called __proto__ is created. However, this is still relatively dangerous, as code higher up the chain which is not also explicitly defending against __proto__ injections may inadvertantly override the prototype chain with an attacker's input.

I would like to propose that creating __proto__ members is rejected in Jessie. To my understanding, Jessie already rejects mutable properties, so code can't later set obj.__proto__ = {}. However, I would also like to see the attempt to create the following Jessie object produce an error:

let abc = { "__proto__": {}};

Silently creating an "own property" is quite scary, and IMO should be rejected even if it makes Jessie not entirely a static superset of JSON.

Thoughts? Michael.

michaelfig avatar Dec 23 '18 21:12 michaelfig

This is an interesting case, in that JavaScript is in this regard already not a superset of JSON. They both accept the syntax, but, as you point out, with conflicting semantics. Since Jessie is supposed to be a subset of JavaScript and a superset of JSON, this is a good enough excuse for banning it.

Jessie purposely omits the elements of JavaScript for talking about inheritance: new, Object.create and most reflective operations, this, class. A standalone Jessie implementation should not need to support general inheritance. A correct Jessie program must not assume either the existence or non-existence of the rest of the SES runtime; it must run correctly when run as a SES program interacting with other SES objects, and when run on a conforming standalone Jessie implementation. The Object.prototype.__proto__ accessor property is one of these elements of the SES runtime which is absent from the Jessie whitelist.

All these considerations support your proposal. I agree. Jessie should statically prohibit syntax naming __proto__ as a property name, whether with or without quotes, and whether in an object literal or after a dot.

Thanks!

erights avatar Dec 23 '18 23:12 erights

I don't understand why this was closed. Shouldn't some change to the Jessie spec happen first?

dckc avatar Dec 27 '18 17:12 dckc

Hi Dan, yes. Thanks!

erights avatar Dec 27 '18 17:12 erights