[Re-land] ProxyObject should not be allow to access its target's private properties.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Aug 2019 21:03:44 +0000 (21:03 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Aug 2019 21:03:44 +0000 (21:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=200739
<rdar://problem/53972768>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
* stress/proxy-with-private-symbols.js:

Source/JavaScriptCore:

Re-landing this after r200829 which resolves the test262 failure uncovered by this patch.

* runtime/ProxyObject.cpp:
(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performDefineOwnProperty):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248796 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js [new file with mode: 0644]
JSTests/stress/proxy-with-private-symbols.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ProxyObject.cpp

index 264b692..bd87c05 100644 (file)
@@ -1,3 +1,14 @@
+2019-08-16  Mark Lam  <mark.lam@apple.com>
+
+        [Re-land] ProxyObject should not be allow to access its target's private properties.
+        https://bugs.webkit.org/show_bug.cgi?id=200739
+        <rdar://problem/53972768>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
+        * stress/proxy-with-private-symbols.js:
+
 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Promise.prototype.finally should accept non-promise objects
diff --git a/JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js b/JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js
new file mode 100644 (file)
index 0000000..27e25d2
--- /dev/null
@@ -0,0 +1,21 @@
+var foo = (function* bar() {
+    try {
+        yield* x;
+    } finally {
+        try {
+            y;
+        } finally {
+            return;
+        }
+    }
+}) ();
+
+var x = new Proxy(foo, {});
+try {
+    x.next();
+} catch (e) {
+    exception = e;
+}
+
+if (exception != 'TypeError: |this| should be a generator')
+    throw "FAILED";
index 0bf1cfb..5b026b0 100644 (file)
@@ -81,7 +81,7 @@ function assert(b) {
             assert(e.message === "%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
             threw = true;
         }
-        assert(!threw);
+        assert(threw);
         assert(!sawPrivateSymbolAsString);
         sawPrivateSymbolAsString = false;
     }
index d70cd39..c114c68 100644 (file)
@@ -1,3 +1,21 @@
+2019-08-16  Mark Lam  <mark.lam@apple.com>
+
+        [Re-land] ProxyObject should not be allow to access its target's private properties.
+        https://bugs.webkit.org/show_bug.cgi?id=200739
+        <rdar://problem/53972768>
+
+        Reviewed by Yusuke Suzuki.
+
+        Re-landing this after r200829 which resolves the test262 failure uncovered by this patch.
+
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+        (JSC::ProxyObject::performHasProperty):
+        (JSC::ProxyObject::performPut):
+        (JSC::ProxyObject::performDelete):
+        (JSC::ProxyObject::performDefineOwnProperty):
+
 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Promise.prototype.finally should accept non-promise objects
index 50e1ba1..1373a83 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -143,7 +143,7 @@ static JSValue performProxyGet(ExecState* exec, ProxyObject* proxyObject, JSValu
     };
 
     if (propertyName.isPrivateName())
-        return performDefaultGet();
+        return jsUndefined();
 
     JSValue handlerValue = proxyObject->handler();
     if (handlerValue.isNull())
@@ -214,7 +214,7 @@ bool ProxyObject::performInternalMethodGetOwnProperty(ExecState* exec, PropertyN
     };
 
     if (propertyName.isPrivateName())
-        RELEASE_AND_RETURN(scope, performDefaultGetOwnProperty());
+        return false;
 
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {
@@ -323,7 +323,7 @@ bool ProxyObject::performHasProperty(ExecState* exec, PropertyName propertyName,
     };
 
     if (propertyName.isPrivateName())
-        RELEASE_AND_RETURN(scope, performDefaultHasProperty());
+        return false;
 
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {
@@ -425,7 +425,7 @@ bool ProxyObject::performPut(ExecState* exec, JSValue putValue, JSValue thisValu
     }
 
     if (propertyName.isPrivateName())
-        RELEASE_AND_RETURN(scope, performDefaultPut());
+        return false;
 
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {
@@ -628,7 +628,7 @@ bool ProxyObject::performDelete(ExecState* exec, PropertyName propertyName, Defa
     }
 
     if (propertyName.isPrivateName())
-        RELEASE_AND_RETURN(scope, performDefaultDelete());
+        return false;
 
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {
@@ -827,7 +827,7 @@ bool ProxyObject::performDefineOwnProperty(ExecState* exec, PropertyName propert
     };
 
     if (propertyName.isPrivateName())
-        return performDefaultDefineOwnProperty();
+        return false;
 
     JSValue handlerValue = this->handler();
     if (handlerValue.isNull()) {