|
HiddenControlFlowHazard
Seemingly safe Caja data computations may result in a control-flow transfer to a potential adversary. IntroductionReported by Tyler Close. When the Caja programmer writes, for example, "x + y", where x or y are supplied by another Caja module, this may cause a (surprising and thereby hazardous) control transfer to code determined by that other module. The reason is JavaScript's coercion rules that may cause implicit calls to valueOf() and/or toString() methods. Our current plans, to fix other bugs, is to prohibit binding of valueOf(), and to allow binding of toString() only to functions as wrapped by asSimpleFunc() or asXo4a() or something. However, because we will still allow toString() to be bound to Caja-determined code, the hazard of the implicit control-flow transfer will remain. |
Sign in to add a comment
Jacaranda and ADsafe both prohibit binding of valueOf, but allow binding of toString. So they have this hazard to the same extent as Caja/Cajita, when the built-in operators are used.
The Jacaranda library has non-coercing, non-overloaded functions corresponding to all of the built-in operators. For example $fadd(x, y) does a non-coercing IEEE floating point addition. These functions are ugly and slow, but for programmers who have been convinced that avoiding coercions is a good idea, they are not unusable.