search

endojs / endo

Endo is a distributed secure JavaScript sandbox, based on SES
Apache License 2.0
829 stars 72 forks source link

compartment-mapper/policy: allows "resources" to be an array #1750

Closed boneskull closed 1 year ago

boneskull commented 1 year ago

Describe the bug

Steps to reproduce

I'm not sure the most straightforward way to reproduce this in the real world--since I discovered it while poking around in the codebase--but ostensibly one could edit the policy in packages/compartment-mapper/demo/policy/index.mjs and change resources to an array, eliminating all of the keys. I am not sure if that itself will break, but per @naugtur this was unintended behavior.

Expected behavior

An error is thrown if resources is an array.

Platform environment

Ubuntu / v18.17.1 / master

Additional context

I am creating this issue because when I started to open a PR to fix it, it said I should create an issue. I am good at following directions!

Screenshots

kriskowal commented 1 year ago

@boneskull You are a role model for us all. Thank you :-)