fix(ses): Lockdown under no-unsafe-eval Content-Security-Policy

kriskowal · kriskowal · commit 05f1c8f74a04 · 2022-11-10T16:55:20.000-08:00
diff --git a/packages/ses/src/tame-function-constructors.js b/packages/ses/src/tame-function-constructors.js
@@ -3,6 +3,7 @@ import {
   SyntaxError,
   TypeError,
   defineProperties,
+  freeze,
   getPrototypeOf,
   setPrototypeOf,
 } from './commons.js';
@@ -46,10 +47,26 @@ export default function tameFunctionConstructors() {
   try {
     // Verify that the method is not callable.
     // eslint-disable-next-line @endo/no-polymorphic-call
-    FERAL_FUNCTION.prototype.constructor('return 1');
-  } catch (ignore) {
+    eval('');
+  } catch {
+    const unsafeFunctionConstructors = [
+      (function () {}),
+      (function *() {}),
+      (async function() {}),
+      (async function *() {}),
+    ].filter(f => {
+      try {
+        f.constructor('');
+      } catch {
+        return false;
+      }
+      return true;
+    })
+    if (unsafeFunctionConstructors.length) {
+      throw new Error(`SES_NO_UNSAFE_EVAL: Lockdown can proceed only with a usable evaluator or if all evaluators are neutralized by a no-unsafe-eval Content-Security-Policy; eval is disabled but Lockdown found working function constructors: ${unsafeFunctionConstructors.map(f => f.constructor.name).join(', ')}`);
+    }
     // Throws, no need to patch.
-    return harden({});
+    return freeze({});
   }
 
   const newIntrinsics = {};
diff --git a/packages/ses/test/no-eval.js b/packages/ses/test/no-eval.js
@@ -5,3 +5,33 @@
 globalThis.eval = _source => {
   throw new TypeError('no unsafe-eval, as if by content-security-policy');
 };
+
+const functionPrototype = Function.prototype;
+const functionConstructor = _source => {
+  throw new TypeError('no unsafe-eval, as if by content-security-policy');
+};
+functionConstructor.prototype = functionPrototype;
+globalThis.Function = functionConstructor;
+Object.defineProperty(Function.prototype, 'constructor', {
+  value: functionConstructor,
+  writable: false,
+  configurable: true,
+});
+
+for (const f of [
+  (function *() {}),
+  (async function() {}),
+  (async function *() {}),
+]) {
+  const constructor = _source => {
+    throw new TypeError('no unsafe-eval, as if by content-security-policy');
+  };
+  constructor.__proto__ = functionConstructor;
+  const prototype = f.__proto__;
+  constructor.prototype = prototype;
+  Object.defineProperty(prototype, 'constructor', {
+    value: constructor,
+    writable: false,
+    configurable: true,
+  });
+}
diff --git a/packages/ses/test/test-no-eval.js b/packages/ses/test/test-no-eval.js
@@ -5,7 +5,7 @@ import '../index.js';
 // I've manually verified that this is not failing due to the dynamic-eval
 // check in src/lockdown-shim.js, and the remaining issues are captured in
 // https://github.com/endojs/endo/issues/903.
-test.failing('lockdown must not throw when eval is forbidden', t => {
+test('lockdown must not throw when eval is forbidden', t => {
   lockdown({ errorTaming: 'unsafe' });
   t.pass();
 });
