Open terjanq opened 9 months ago
Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this. The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)
Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html
Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.
PoC:
Vulnerable path:
from(arguments)
in https://github.com/LavaMoat/snow/blob/1c8faa81291e6f6dffe62b7106eff2492213375d/src/log.js#L16opened
window reference toconsole.error
in https://github.com/LavaMoat/snow/blob/1c8faa81291e6f6dffe62b7106eff2492213375d/src/proxy.js#L48-L50Description
Accessing the
arguments
variable inside a function scope returns an array-like object which looks like the following:It defines a
@@iterator
symbol used to generate anArrayIterator
object, whichArray.from()
calls internally. We can overwriteArrayIterator.prototype.next
to leak the function arguments passed toArray.from
, one of which is an unproxied reference to the window that can be used to execute unsandboxed JS.