endojs / endo

Endo is a distributed secure JavaScript sandbox, based on SES
Apache License 2.0
834 stars 72 forks source link

Cosmos-kit incompatible with lockdown #2029

Closed samsiegart closed 10 months ago

samsiegart commented 10 months ago

Describe the bug

When trying to use https://github.com/cosmology-tech/cosmos-kit in a React app with lockdown, it crashes with an error like:

TypeError: Cannot assign to read only property 'concat' of object '[object Object]'

Steps to reproduce

  1. Go to https://github.com/agoric-labs/cosmos-kit-ses?tab=readme-ov-file
  2. Clone the repo
  3. yarn && yarn dev to run locally
  4. Reload the url outputted by yarn dev
  5. Observe the app crashes to a blank page and the error appears in the console

Expected behavior

There should be some way to use cosmos-kit alongside endo

Platform environment

Additional context

I tried using @endo/init/unsafe-fast.js to circumvent the issue in this branch unsuccessfully. It throws a different error TypeError#2: Cannot perform 'ownKeys' on a proxy that has been revoked described in the README.

Screenshots

Screenshot 2024-02-01 at 10 24 59 AM
erights commented 10 months ago

Reproduced locally!

erights commented 10 months ago

I should be clearer: I locally reproduced

TypeError: Cannot assign to read only property 'concat' of object '[object Object]'

in full ses, i.e., without switching to unsafe-fast.js

I have not yet reproduced the revoked proxy issue.

erights commented 10 months ago

@samsiegart , could you try https://github.com/endojs/endo/pull/2030 and see if it fixes the ... Cannot assign to read only ... problem?

samsiegart commented 10 months ago

@samsiegart , could you try #2030 and see if it fixes the ... Cannot assign to read only ... problem?

Thanks @erights, that patch seems to work, just left a comment: https://github.com/endojs/endo/pull/2030#pullrequestreview-1860065414

I'm just wondering, does this require overrideTaming: 'severe' in the lockdown options? Are there any concerns that developers should be aware of when using such enablements?

erights commented 10 months ago

I don't know why merging #2030 closed this. I specifically did NOT list this issue in the "closes" portion. Reopening.

samsiegart commented 10 months ago

Apologies, I pasted the wrong error in the original description of this issue. In full ses, i.e., without switching to unsafe-fast.js I was getting the error @erights repro'd locally:

TypeError: Cannot assign to read only property 'concat' of object '[object Object]'

This was in fact fixed by https://github.com/endojs/endo/pull/2030. I've amended the description now.

The other error:

TypeError#2: Cannot perform 'ownKeys' on a proxy that has been revoked

...only happens with unsafe-fast.js

erights commented 10 months ago

...only happens with unsafe-fast.js

Awesome. Then I'm closing this. If I misunderstood, please reopen. Thanks!