List of surprising non-invariants

tc39 / security

Discussion area for security aspects of ECMAScript

64 stars 6 forks source link

List of surprising non-invariants #6

Open bakkot opened 3 years ago

bakkot commented 3 years ago

A lot of vulnerabilities, both in implementations and in user code, come down to mistakenly assuming something is an invariant when it is not.

For example:

null and undefined are the only two nullish values (document.all)
.slice (and friends) on arrays and TAs constructs the same kind of array as the underlying one (Symbol.species) (e.g.)

What else?

ljharb commented 3 years ago

In-bounds index access on an array is always safe?

michaelficarra commented 3 years ago

"Objects created as empty literals ({}) have no properties". They have no own-properties, but inherit some from Object.prototype by default, including the __proto__ getters/setters.

michaelficarra commented 3 years ago

"JSON is a subset of JavaScript".

ljharb commented 3 years ago

setTimeout is part of JavaScript

jugglinmike commented 3 years ago

"Any IdentifierReference can be safely guarded with the typeof operator."

TimothyGu commented 3 years ago

Array.isArray(a) implies a is an Array exotic object.

edit: a could also be a Proxy exotic object with an underlying Array exotic object.

ljharb commented 3 years ago

@TimothyGu that one is true, because "is an Array object" is defined by the same thing Array.isArray checks. However, "Array.isArray(a) means a instanceof Array" is definitely a non-invariant.

ljharb commented 3 years ago

@jugglinmike can you elaborate? which can't?

zloirock commented 3 years ago

@ljharb it seems something like this

Object.defineProperty(globalThis, 'x', { get(){ throw 42 } });
// ...
typeof x;

jugglinmike commented 3 years ago

Nice point, @zloirock. For my part, I was considering the so-called "temporal dead zone"

typeof x;
let x;

TimothyGu commented 3 years ago

@ljharb I meant the fact that Array.isArray returns true for Proxy objects whose underlying object is an array. I guess I should rephrase it as: "Array.isArray(a) implies that a is an Array exotic object."

ljharb commented 3 years ago

Ha, i love this list. Thanks for clarifying.

jugglinmike commented 3 years ago

"Every value is strictly equal to itself." / "Every value is loosely equal to itself." (Counter-example: NaN)

bakkot commented 3 years ago

And of course conversely, "if x === y, then they are the same value" (-0/0).

jugglinmike commented 3 years ago

That'd be "x === y", right?

bakkot commented 3 years ago

Sorry, yes. Edited to fix.