Skip to content

Commit 6dcb9b2

Browse files
dilijevdilijev
committed
[MERGE chakra-core#3196 @dilijev] Fix chakra-core#3189: Fix pre-init Intl tainting of Map and Object.defineProperty.
Merge pull request chakra-core#3196 from dilijev:intl-tainting * Expose and use platform.Map * Use ObjectDefineProperty instead of Object.defineProperty Fixes chakra-core#3189
2 parents 848a7e1 + 0bb8619 commit 6dcb9b2

10 files changed

Lines changed: 15167 additions & 15051 deletions

lib/Runtime/Library/EngineInterfaceObjectBuiltIns.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ GlobalBuiltInConstructor(RegExp)
99
GlobalBuiltInConstructor(String)
1010
GlobalBuiltInConstructor(Date)
1111
GlobalBuiltInConstructor(Error) /*This was added back in to allow assert errors*/
12+
GlobalBuiltInConstructor(Map)
1213

1314
GlobalBuiltIn(Math,Abs)
1415
GlobalBuiltIn(Math,Floor)

lib/Runtime/Library/InJavascript/Intl.js

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,10 @@
88
(function (EngineInterface, InitType) {
99
var platform = EngineInterface.Intl;
1010
if (platform.localeLookupCache === undefined) {
11-
platform.localeLookupCache = new Map();
11+
platform.localeLookupCache = new platform.Map();
1212
}
1313
if (platform.localeBestFitCache === undefined) {
14-
platform.localeBestFitCache = new Map();
14+
platform.localeBestFitCache = new platform.Map();
1515
}
1616

1717
// constants
@@ -30,6 +30,7 @@
3030
var String = platform.String;
3131
var Date = platform.Date;
3232
var Error = platform.Error;
33+
var Map = platform.Map;
3334

3435
var RaiseAssert = platform.raiseAssert;
3536

@@ -40,16 +41,15 @@
4041
pow: platform.builtInMathPow
4142
}, null);
4243

43-
var objectDefineProperty = platform.builtInJavascriptObjectEntryDefineProperty;
4444
var ObjectGetPrototypeOf = platform.builtInJavascriptObjectEntryGetPrototypeOf;
4545
var ObjectIsExtensible = platform.builtInJavascriptObjectEntryIsExtensible;
4646
var ObjectGetOwnPropertyNames = platform.builtInJavascriptObjectEntryGetOwnPropertyNames;
4747
var ObjectInstanceHasOwnProperty = platform.builtInJavascriptObjectEntryHasOwnProperty;
48-
4948
// Because we don't keep track of the attributes object, and neither does the internals of Object.defineProperty;
5049
// We don't need to restore it's prototype.
50+
var _objectDefineProperty = platform.builtInJavascriptObjectEntryDefineProperty;
5151
var ObjectDefineProperty = function (obj, prop, attributes) {
52-
objectDefineProperty(obj, prop, setPrototype(attributes, null));
52+
_objectDefineProperty(obj, prop, setPrototype(attributes, null));
5353
};
5454

5555
var ArrayInstanceForEach = platform.builtInJavascriptArrayEntryForEach;
@@ -381,9 +381,9 @@
381381
// When https://github.com/Microsoft/ChakraCore/issues/637 is fixed and we have a way
382382
// to make built-in functions non-constructible, we can remove the call to
383383
// Function.prototype.bind and just rely on tagging instead of setting the "name" manually.
384-
Object.defineProperty(collator_supportedLocalesOf, 'name', { value: 'supportedLocalesOf' });
385-
Object.defineProperty(numberFormat_supportedLocalesOf, 'name', { value: 'supportedLocalesOf' });
386-
Object.defineProperty(dateTimeFormat_supportedLocalesOf, 'name', { value: 'supportedLocalesOf' });
384+
ObjectDefineProperty(collator_supportedLocalesOf, 'name', { value: 'supportedLocalesOf' });
385+
ObjectDefineProperty(numberFormat_supportedLocalesOf, 'name', { value: 'supportedLocalesOf' });
386+
ObjectDefineProperty(dateTimeFormat_supportedLocalesOf, 'name', { value: 'supportedLocalesOf' });
387387

388388
// If an empty string is encountered for the value of the property; that means that is by default.
389389
// So in the case of zh-TW; "default" and "stroke" are the same.

lib/Runtime/Library/InJavascript/Intl.js.bc.32b.h

Lines changed: 3867 additions & 3867 deletions
Large diffs are not rendered by default.

lib/Runtime/Library/InJavascript/Intl.js.bc.64b.h

Lines changed: 3867 additions & 3866 deletions
Large diffs are not rendered by default.

lib/Runtime/Library/InJavascript/Intl.js.nojit.bc.32b.h

Lines changed: 3655 additions & 3655 deletions
Large diffs are not rendered by default.

lib/Runtime/Library/InJavascript/Intl.js.nojit.bc.64b.h

Lines changed: 3655 additions & 3655 deletions
Large diffs are not rendered by default.

test/Intl/IntlTaintingPreInitTests.baseline

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Passed pre-init tainting!

test/Intl/IntlTaintingPreInitTests.js

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
//-------------------------------------------------------------------------------------------------------
2+
// Copyright (C) Microsoft. All rights reserved.
3+
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
4+
//-------------------------------------------------------------------------------------------------------
5+
6+
try {
7+
var failed = false;
8+
function getErrorFunction(global) {
9+
return function () {
10+
failed = true;
11+
WScript.Echo("Error when tainting '" + global + "'!");
12+
}
13+
}
14+
15+
function generalTainting() {
16+
// tainting built-in object constructors and functions
17+
Date = getErrorFunction("Date");
18+
Object = getErrorFunction("Object");
19+
Number = getErrorFunction("Number");
20+
RegExp = getErrorFunction("RegExp");
21+
String = getErrorFunction("String");
22+
Boolean = getErrorFunction("Boolean");
23+
Error = getErrorFunction("Error");
24+
TypeError = getErrorFunction("TypeError");
25+
RangeError = getErrorFunction("RangeError");
26+
Map = getErrorFunction("Map");
27+
28+
Math = {
29+
abs: getErrorFunction("Math.abs"),
30+
floor: getErrorFunction("Math.floor"),
31+
max: getErrorFunction("Math.max"),
32+
pow: getErrorFunction("Math.pow")
33+
};
34+
35+
isFinite = getErrorFunction("isFinite");
36+
isNaN = getErrorFunction("isNaN");
37+
}
38+
39+
function objectTainting() {
40+
Object.create = getErrorFunction("Object.create");
41+
Object.defineProperty = getErrorFunction("Object.defineProperty");
42+
Object.getPrototypeOf = getErrorFunction("Object.getPrototypeOf");
43+
Object.isExtensible = getErrorFunction("Object.isExtensible");
44+
Object.getOwnPropertyNames = getErrorFunction("Object.getOwnPropertyNames");
45+
Object.prototype.hasOwnProperty = getErrorFunction("Object.prototype.hasOwnProperty");
46+
}
47+
48+
function arrayTainting() {
49+
Array.prototype.forEach = getErrorFunction("Array.prototype.forEach");
50+
Array.prototype.indexOf = getErrorFunction("Array.prototype.indexOf");
51+
Array.prototype.push = getErrorFunction("Array.prototype.push");
52+
Array.prototype.join = getErrorFunction("Array.prototype.join");
53+
}
54+
55+
function stringTainting() {
56+
String.prototype.match = getErrorFunction("String.prototype.match");
57+
String.prototype.replace = getErrorFunction("String.prototype.replace");
58+
String.prototype.toLowerCase = getErrorFunction("String.prototype.toLowerCase");
59+
String.prototype.toUpperCase = getErrorFunction("String.prototype.toUpperCase");
60+
}
61+
62+
function otherProtototypeTainting() {
63+
Function.prototype.bind = getErrorFunction("Function.prototype.bind");
64+
Date.prototype.getDate = getErrorFunction("Date.prototype.getDate");
65+
RegExp.prototype.test = getErrorFunction("RegExp.prototype.test");
66+
}
67+
68+
function runTests() {
69+
failed = false;
70+
71+
new Intl.NumberFormat().format(5);
72+
new Intl.DateTimeFormat().format(5);
73+
new Intl.Collator().compare(null, "");
74+
75+
new Intl.NumberFormat().format(5);
76+
new Intl.DateTimeFormat().format(5);
77+
new Intl.Collator().compare(null, "");
78+
79+
new Intl.NumberFormat().format(5);
80+
new Intl.DateTimeFormat("en", { month: "short" }).format(5);
81+
new Intl.Collator().compare("en", "");
82+
83+
new Intl.NumberFormat().format(5);
84+
new Intl.DateTimeFormat("en", { month: "short" }).format(5);
85+
new Intl.Collator().compare("en", "");
86+
87+
new Intl.NumberFormat().format(5);
88+
new Intl.DateTimeFormat("en", { month: "short" }).format(5);
89+
new Intl.Collator().compare("en", "");
90+
91+
if (failed === false) {
92+
WScript.Echo("Passed pre-init tainting!");
93+
}
94+
}
95+
96+
objectTainting();
97+
arrayTainting();
98+
stringTainting();
99+
otherProtototypeTainting();
100+
generalTainting();
101+
runTests();
102+
103+
} catch (e) {
104+
WScript.Echo(e);
105+
}

test/Intl/IntlTaintingTests.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ try {
5252
Error = getErrorFunction("Error");
5353
TypeError = getErrorFunction("TypeError");
5454
RangeError = getErrorFunction("RangeError");
55+
Map = getErrorFunction("Map");
5556

5657
Math = {
5758
abs: getErrorFunction("Math.abs"),

test/Intl/rlexe.xml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,13 @@
8080
<tags>Intl,exclude_winglob</tags>
8181
</default>
8282
</test>
83+
<test>
84+
<default>
85+
<files>IntlTaintingPreInitTests.js</files>
86+
<baseline>IntlTaintingPreInitTests.baseline</baseline>
87+
<tags>Intl,exclude_winglob</tags>
88+
</default>
89+
</test>
8390

8491
<test>
8592
<default>

0 commit comments

Comments
 (0)