CVE-2023-23557: Use copyDataProperties slow path for objects with accessors · facebook/hermes@a00d237

Permalink

Browse files

Browse the repository at this point in the history

Use copyDataProperties slow path for objects with accessors

Summary: Fix a bug present in `hermesBuiltinCopyDataProperties`. `hermesBuiltinCopyDataProperties` is meant to copy an object. It does this by iterating over all the properties in the source object, and then writing the key-value pair into a new object which is returned.The iteration is done using `JSObject::forEachOwnPropertyWhile`, providing a callback to process each property. It will take the property id, look it up in the source object using `getNamedPropertyValue_RJS`, then take that resulting value and write it into the target. However, that API explicitly states the following:

Obviously the callbacks shouldn’t be doing naughty things like modifying the property map or creating new hidden classes (even implicitly)

But, `getNamedPropertyValue_RJS` can perform arbitrary JS execution if it is a getter, including adding/deleting new properties, which would modify the object’s HiddenClass, thus violating `JSObject::forEachOwnPropertyWhile`’s precondition.Therefore, the fix is to use the correct, but slower path, whenever there is an accessor on the object. This code path is more 1:1 to the spec. At the beginning, it will simply find all the properties of the source object using `JSObject::getOwnPropertyKeys` and then iterate on those, rather than use `JSObject::forEachOwnPropertyWhile`. This way, we are allowed to manipulate the source object however we wish, which is necessary in order to call `getNamedPropertyValue_RJS`.

Reviewed By: neildhar

Differential Revision: D41701871

fbshipit-source-id: c4be179f57d52827f12ca26b1ab8d17cdccd7447

• Loading branch information