0.4.0-alpha.7 [vulnerability][acl] Fix #333 Check constructors of Obj…

…ect.assign() source objects

demo-frontend/components/thin-hook/demo/hook-callback.js

@@ -3256,6 +3256,14 @@ else {
         },
       },
     },
+    DummyObject1: {
+      [S_DEFAULT]: '---',
+      [S_ALL]: '---',
+      [S_OBJECT]: {
+        [S_DEFAULT]: '---',
+        '@normalization_checker': '-w--W', // write-only to throw on reading
+      },
+    },
     BaseClass1: {
       [S_OBJECT]: {
         [S_DEFAULT]: '---',
@@ -3275,6 +3283,10 @@ else {
         [S_DEFAULT]: '---',
         [S_INSTANCE]: {
           [S_DEFAULT]: '---',
+          $__proto__$: {
+            [S_DEFAULT]: '---',
+            '@normalization_checker': 'r--',
+          },
           instanceMethod: {
             [S_DEFAULT]: '---',
             '@normalization_checker': '--x',
@@ -4930,13 +4942,25 @@ else {
                       property = _p;
                       break;
                     case S_TARGETED:
-                      if (_args[1][1] instanceof Object) {
+                      if (_args[1][1] instanceof Object || (_args[1][1] && typeof _args[1][1] === 'object')) {
                         rawProperty = [];
                         for (let i = 1; i < _args[1].length; i++) {
                           let _obj = _args[1][i];
                           let _name = _globalObjects.get(_obj);
-                          if (!applyAcl(_name, true, false, S_ALL, 'r', context, _obj, _args, arguments)) {
-                            result = [_name, true, false, S_ALL, 'r', context, _obj, _args, arguments];
+                          let _isStatic = true;
+                          let _isObject = false;
+                          if (!_name) {
+                            let _ctor = _obj.constructor;
+                            if (typeof _ctor === 'function') {
+                              _name = _globalObjects.get(_ctor);
+                              if (_name) {
+                                _isStatic = false;
+                                _isObject = _obj instanceof _ctor;
+                              }
+                            }
+                          }
+                          if (!applyAcl(_name, _isStatic, _isObject, S_ALL, 'r', context, _obj, _args, arguments)) {
+                            result = [_name, _isStatic, _isObject, S_ALL, 'r', context, _obj, _args, arguments];
                             throw new Error('Permission Denied: Cannot access ' + SetMap.getStringValues(_name));
                           }
                           // TODO: Are inherited properties targeted?
@@ -6416,13 +6440,25 @@ else {
                       property = _p;
                       break;
                     case S_TARGETED:
-                      if (_args[1][1] instanceof Object) {
+                      if (_args[1][1] instanceof Object || (_args[1][1] && typeof _args[1][1] === 'object')) {
                         rawProperty = [];
                         for (let i = 1; i < _args[1].length; i++) {
                           let _obj = _args[1][i];
                           let _name = _globalObjects.get(_obj);
-                          if (!applyAcl(_name, true, false, S_ALL, 'r', context, _obj, _args, arguments)) {
-                            result = [_name, true, false, S_ALL, 'r', context, _obj, _args, arguments];
+                          let _isStatic = true;
+                          let _isObject = false;
+                          if (!_name) {
+                            let _ctor = _obj.constructor;
+                            if (typeof _ctor === 'function') {
+                              _name = _globalObjects.get(_ctor);
+                              if (_name) {
+                                _isStatic = false;
+                                _isObject = _obj instanceof _ctor;
+                              }
+                            }
+                          }
+                          if (!applyAcl(_name, _isStatic, _isObject, S_ALL, 'r', context, _obj, _args, arguments)) {
+                            result = [_name, _isStatic, _isObject, S_ALL, 'r', context, _obj, _args, arguments];
                             throw new Error('Permission Denied: Cannot access ' + SetMap.getStringValues(_name));
                           }
                           // TODO: Are inherited properties targeted?

demo-frontend/components/thin-hook/demo/index.html

@@ -15,9 +15,9 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <script integrity="sha256-TFrFiRKARBEUPnqZ449sQVki+YPEw7RhpfAIvYAt2Ps= sha256-u1C04KS8T7VFadRCjxb5X7ESXpc4VSuLIcH+c7vVDSk=" src="../../thin-hook/hook.min.js?version=668&no-hook-authorization=ddb8b93c6d52e27463c13f99d83f6157b102f528b88196a385bb797d6101ffbf,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&service-worker-ready=false"></script></head></html>
-  <script context-generator src="no-hook-authorization.js?no-hook=true" integrity="sha256-3bi5PG1S4nRjwT+Z2D9hV7EC9Si4gZajhbt5fWEB/78="></script>
-  <script context-generator src="integrity.js?no-hook=true" integrity="sha256-bUfV9k4118TjlXCBF5GglAWTSI2Tw6KE4VyTjMsIzps="></script>
+  <script integrity="sha256-Cf4mDo65iIKDW81W+3KzFb/VuPWue5LxcfPEHYMi74o= sha256-BAMAThR9MqmenyMzbm8z6myq4GX40TU8OrhvlJ9Rt8w=" src="../../thin-hook/hook.min.js?version=668&no-hook-authorization=8686b02f342e6e755463f878a3201ac0a9a1fd48f4db529c842df068c02ec63b,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&service-worker-ready=false"></script></head></html>
+  <script context-generator src="no-hook-authorization.js?no-hook=true" integrity="sha256-hoawLzQubnVUY/h4oyAawKmh/Uj021KchC3waMAuxjs="></script>
+  <script context-generator src="integrity.js?no-hook=true" integrity="sha256-gGoPYlO3bsNX0Vre/FpnMEhH8Y4qok2bvAcqCJNeybk="></script>
   <script context-generator src="disable-devtools.js?no-hook=true" integrity="sha256-qBIJIoIJlBCXrEHFvaO8HNZDdeabfIETr/aML+Zyn/I="></script>
   <script context-generator src="context-generator.js?no-hook=true" integrity="sha256-Q3SuHyjOwrlpq0iIlaQmYkTWXijh+Cco/SzTkTD+DZ4="></script>
   <script context-generator src="bootstrap.js?no-hook=true" integrity="sha256-TqPlk5mugojW8S5owdMaeSZi4Sw/xmbQjb39/JFLAJE="></script>
@@ -49,8 +49,8 @@
     };
   }
   </script>
-  <script context-generator src="cache-bundle.js?no-hook=true&authorization=211f01b360b17df3c0abe342a52e4f51774269f3b6eec2859735d80ab411dd05" integrity="sha256-xZ1Ebqkx3yhzbVhtwmh3Mdrbczw8/WRMffOvs2pq45o="></script>
-  <script src="hook-callback.js?no-hook=true" integrity="sha256-cGOVLzs21iZBytTk5ZSFcoBcsce11kJ9Z8cTvDQvnGQ="></script>
+  <script context-generator src="cache-bundle.js?no-hook=true&authorization=bb6948443ff57d282d6e680254c3c2c1a564d3ede9349c05f4f2681113547e95" integrity="sha256-xZ1Ebqkx3yhzbVhtwmh3Mdrbczw8/WRMffOvs2pq45o="></script>
+  <script src="hook-callback.js?no-hook=true" integrity="sha256-vBefAbaeF+35V6EOemgcml7izdbT7MRj6tZFv1UgFP8="></script>
   <script context-generator src="script-hashes.js?no-hook=true&service-worker-ready=false" integrity="sha256-ugdlTRwkonG6D6fuXFXNYMAhM7DlPLa7bmNNpHOx5UA= sha256-iwNDERBbbVTJByz7MxC07PgPhzUeVeiPwbFEpdVoDlw="></script><!--<C!-- end of mandatory no-hook scripts --C>
   <script src="../../webcomponentsjs/webcomponents-lite.js"></script>
   <C!-- <script no-hook>

demo-frontend/components/thin-hook/demo/integrity.js

@@ -331,8 +331,8 @@
 
   RSA.publicKeyBits = 2048; // number of bits in RSA public key, which must be at least 2048
   RSA.publicKeySize = RSA.publicKeyBits / 8; // number of bytes for RSA-OAEP encrypted data size
-  RSA.publicKeyBase64 = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAluifAjXsscfZEPHgtixrbPbwfVCMRgn6muzpUbZ0WinImPh+h4Z5IhHF4cwihWhFdmsV5m0Yq+vkE+kAH2TzqaXOT/kEpcNUSbmLr1hvRBe8Z9/npaI3+NQmGG6Ao0UGdaUvrFSbpwWorN3y4ITkjrsn8UwTlWpERyCFm5WcExLsisVX4oS36DCitlbkkdt/+a/BvDEP4AV/3YiNeG5zXW76PQWIUnReOsvk4EatrzZR6O4R06mdpJvTP/0osIQHbAV4pTwu4baS6Fu0gyTpM/vxLUlsHVOicxebk3z2w7KJcqxaSuvjzkR+oQq/Rs8OBD3oGbVP7A1UICmTXUi8/wIDAQAB';
-  ECDSA.publicKeyBase64 = 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0LsaUA1rvYa5+R92Vr1epKUnp8PXTUsWECtpeRPZgW/nuFNJrVVygLWVKp1Gj0w83AT1gXCKqi9TjqFBqlEcQw==';
+  RSA.publicKeyBase64 = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgkSKzmdUnCfLPIFObieJGEcANA07PnM8aYfpLs3dW+rbdtK8HycRcyqvRcoMYklO7Zjj7U3kCx09wrhhHmCdoBtjqZfvJlQ4xqLPw6r85UzzHQNJ7cayRmbuDrqvHgIE3DtaJvPO0JVT3i+MjmpwRhOl5UW7ddIenhoUjOD19vpp8MiyDsBUVYcb8/gonPtHwwO2P/myyEY8RBpbhPkgOnjIIqqiSQju/tRuAQ7mbO3k8GpCzPNqdT/gokweOGo1744VLRwSbwDCWqkw2hiNw9Fe5BB4ONU5oYybAivCFUNG1feBIfwtF4osaeWwqsq1Qzej+aj+IELzSc7cO05P6wIDAQAB';
+  ECDSA.publicKeyBase64 = 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA1GSfnhbbpajOH7rs7s9QHw/QZi+dmo5MqQxVRbMFnvkQjBKTXEVyAkeAbZcQeweICN2W2MpwQOeHh5a+MK6kw==';
   ECDSA.signatureLength = SHA256.hashBytes * 2;
   ECDHE.publicKeyLength = 1 + SHA256.hashBytes * 2;
 

demo-frontend/components/thin-hook/demo/integrity.json

@@ -3494,13 +3494,13 @@
   "/components/thin-hook/demo/bundle.json": "NKwjN4DXt2s+80XoHlFlWbnI5rklchdQCerPDjtfBIk=",
   "/components/thin-hook/demo/cache-automation.js": "x2G0JD1JJOVC3rhFCrQnigaYlTu7C5vhOTRHBixXcS4=",
   "/components/thin-hook/demo/cache-bundle.js": "xZ1Ebqkx3yhzbVhtwmh3Mdrbczw8/WRMffOvs2pq45o=",
-  "/components/thin-hook/demo/cache-bundle.json": "tLW1SyES0PCongZqXJibbqsULvXQEapgBxzWWY3+B3Y=",
+  "/components/thin-hook/demo/cache-bundle.json": "khVj60SYisYIVcq1fj0pL+DQ3XbJiLKsgc70xV2h6pU=",
   "/components/thin-hook/demo/commonjs.js": "KjmEtrrjEj4WCR1bjCEOZnXhe+9w4wJoaUg40WU0FuQ=",
   "/components/thin-hook/demo/commonjs2.js": "tiHpF2aP1nZUY/O31R9j/kWne3jFgqPIds0MwNLxhk4=",
   "/components/thin-hook/demo/content-loader.js": "AkIBbiiHsyKrKLiH8Dd5xjiZ2yMrsDbXlKAnjbnlQzk=",
   "/components/thin-hook/demo/context-generator.js": "Q3SuHyjOwrlpq0iIlaQmYkTWXijh+Cco/SzTkTD+DZ4=",
   "/components/thin-hook/demo/disable-devtools.js": "qBIJIoIJlBCXrEHFvaO8HNZDdeabfIETr/aML+Zyn/I=",
-  "/components/thin-hook/demo/empty-document.html": "85t3wQCGA+8OGa3xm/TCcCgyAkPl/eRHv63AnuWc29k=",
+  "/components/thin-hook/demo/empty-document.html": "nZhesruh7HXkXJxHqTEPv/CC8F7tzGrz4F+hl5nV54U=",
   "/components/thin-hook/demo/es6-module.js": "fqNv9zHgC8txL7mU0+zySAwIQNRjpTVJtDI34AWzvOY=",
   "/components/thin-hook/demo/es6-module2.js": "m8es06TrC+X9xZ9p6bWrs0s4su7FcMoZak389t8NOyY=",
   "/components/thin-hook/demo/es6-module3.js": "qq7q9Gk9vgQSZmElUAaLOEQxALCbP9ysHKqQjwyas+Y=",
@@ -3510,12 +3510,12 @@
   "/components/thin-hook/demo/generator.js": "KN5sn0Eo8OgAJbr5mDlBfbNkZMI6r7/2qn0L77tqGJo=",
   "/components/thin-hook/demo/global.js": "pSw50DEF5s1Mvna1jemHFHdyV0mKgEjjK6WUa4gnPis=",
   "/components/thin-hook/demo/gulpfile.js": "DIqA08HOMy17CgdY4ZDisJbNGxMPcP3YXTGz2eijReY=",
-  "/components/thin-hook/demo/hook-callback.js": "cGOVLzs21iZBytTk5ZSFcoBcsce11kJ9Z8cTvDQvnGQ=",
+  "/components/thin-hook/demo/hook-callback.js": "vBefAbaeF+35V6EOemgcml7izdbT7MRj6tZFv1UgFP8=",
   "/components/thin-hook/demo/hook-native-api.js": "CXlkZoO+ybloLZdNVJ7/thsfyYGth9rHbUTQRA2Hs5Y=",
   "/components/thin-hook/demo/hook-worker.js": "W2FaqIWgUYRmFTvm7LLP7vEwDxgf9gypHK2WRlnJIFI=",
   "/components/thin-hook/demo/index-fb.html": "D9idm83/VxddYcF1L/fb3Vu6W5n8IDX4lH5KG66DSFk=",
   "/components/thin-hook/demo/inline-script.svg": "NRdobFKL9ufnJCuVHoPLUUsXRBgGgjY3EdwWwHjm/GQ=",
-  "/components/thin-hook/demo/integrity.js": "bUfV9k4118TjlXCBF5GglAWTSI2Tw6KE4VyTjMsIzps=",
+  "/components/thin-hook/demo/integrity.js": "gGoPYlO3bsNX0Vre/FpnMEhH8Y4qok2bvAcqCJNeybk=",
   "/components/thin-hook/demo/invalid-document.html": "KAPziibQgBjvjZ6VlnXTeFUTkAuZVpd3BtX0pBKBzzI=",
   "/components/thin-hook/demo/lhs.js": "h12n3evI8zqX4nFe66ZlwpbdwgB/o8YZJjkxFVPVOIQ=",
   "/components/thin-hook/demo/locales/bundle.de.json": "yBx145NiuX8NYTjr4YnQDauqpPg2forcuXjFqtzYq70=",
@@ -3551,14 +3551,14 @@
   "/components/thin-hook/demo/my-view2.json": "PptwWPvugpMTpsXZFfaSVwr2BcYSGJkfhjEiV6RrFJI=",
   "/components/thin-hook/demo/my-view3.html": "pSmI7cALKmeqoKKZefU8NicI4V0ZUcScMGSklkVBeFw=",
   "/components/thin-hook/demo/my-view3.json": "uatxD9AZkiGiFvGsMqhTVLNxAqDiylbvuGors1Hb1hc=",
-  "/components/thin-hook/demo/no-hook-authorization.js": "3bi5PG1S4nRjwT+Z2D9hV7EC9Si4gZajhbt5fWEB/78=",
-  "/components/thin-hook/demo/normalize.js": "0Xgt2lxxhdpnUvhsIMr0sAJBZm2xR23MyZW7gu3s8Ss=",
+  "/components/thin-hook/demo/no-hook-authorization.js": "hoawLzQubnVUY/h4oyAawKmh/Uj021KchC3waMAuxjs=",
+  "/components/thin-hook/demo/normalize.js": "7AInFiJEGLeFrBG2SE5MDBIjgoW9yyuKFIKa1qdZ5dU=",
   "/components/thin-hook/demo/script-hashes.js": "ugdlTRwkonG6D6fuXFXNYMAhM7DlPLa7bmNNpHOx5UA=",
   "/components/thin-hook/demo/shared-worker-client.js": "WE5mA1PRKWU5fULLeEqjSJ5RpFF3uf4fWyvNkGK83D0=",
   "/components/thin-hook/demo/shared-worker.js": "B9AZYCwUFTYmnEXQ0hLA6JJbVR5vakBrX3426XaEbbI=",
   "/components/thin-hook/demo/spread.js": "gpfCZwAb/tn4HErIHzwhcCC0eMbvuzExYzK97dlma2A=",
-  "/components/thin-hook/demo/sub-document.html": "7qwNBE9Oxxze7vWGgwPycZaA/u2QcU/D+3xcRluOOTc=",
-  "/components/thin-hook/demo/sub-sub-document.html": "77gWvhUSh2bbpvyRJen6MaPPZ7ckbqxpSe5q5pXREXg=",
+  "/components/thin-hook/demo/sub-document.html": "p7mbw0HOIWJopUIEZO+6/P1BJ65rnCkhFAQGbBBYwRU=",
+  "/components/thin-hook/demo/sub-sub-document.html": "OYqD6S3KNAJC5Fl9DKyEg6VhB5tWhFE/JjwLj55zj3s=",
   "/components/thin-hook/demo/unauthorized-no-hook-script.js": "YjNcphHrG7UkmBspO6aCgkw+hh4Y7XvsD4TmuplpABE=",
   "/components/thin-hook/demo/unauthorized-no-hook-worker-script.js": "j5e2u8zJ41kNLbACDJCY/DJkneDOzuWJwZ+lw2bh1XE=",
   "/components/thin-hook/demo/web-worker-client.js": "stBjyffqLegDpNIyI3pc9q3H0lmL961LWhGr0eR5N/0=",
@@ -3573,7 +3573,7 @@
   "/components/thin-hook/demo/xliff/bundle.fr.xlf": "qC940/MZ/rG31gok/D9KPHYD/xRCkziCBIUwhgxdovI=",
   "/components/thin-hook/demo/xliff/bundle.ja.xlf": "QbZEDWcoqnJyqKIHA8rGr7rNYmG67RAHOyw1/oEXWu8=",
   "/components/thin-hook/demo/xliff/bundle.zh-Hans.xlf": "AyxbV4426iZK9PQB6O+s3JIoA3sO+4lVOQlSrwP7+/U=",
-  "/components/thin-hook/hook.min.js": "TFrFiRKARBEUPnqZ449sQVki+YPEw7RhpfAIvYAt2Ps=",
+  "/components/thin-hook/hook.min.js": "Cf4mDo65iIKDW81W+3KzFb/VuPWue5LxcfPEHYMi74o=",
   "/components/vaadin-grid/all-imports.html": "LMCPxNwxFswTTdXlEHbdRxOpL5SpqCPSHCLSit7xLw0=",
   "/components/vaadin-grid/bower.json": "0nox4NkE51Wy3KhWPvlJ7leWO6MhyCx6utOGLMOCBxA=",
   "/components/vaadin-grid/grid.gif": "bYmTEFtW4rCFnHX6m7k0XnOBHnVBsgAs4WEPiEoy4dc=",

demo-frontend/components/thin-hook/demo/no-hook-authorization.js

@@ -13,11 +13,11 @@ else {
     //   hook.parameters.noHookAuthorizationFailed
     // JSONs are output to console in the learning mode
     //'*': true,
-    "4c5ac58912804411143e7a99e38f6c415922f983c4c3b461a5f008bd802dd8fb": true, // hook.min.js
+    "09fe260e8eb98882835bcd56fb72b315bfd5b8f5ae7b92f171f3c41d8322ef8a": true, // hook.min.js
     "a81209228209941097ac41c5bda3bc1cd64375e69b7c8113aff68c2fe6729ff2": true, // demo/disable-devtools.js
     "4374ae1f28cec2b969ab488895a4266244d65e28e1f82728fd2cd39130fe0d9e": true, // demo/context-generator.js
     "4ea3e59399ae8288d6f12e68c1d31a792662e12c3fc666d08dbdfdfc914b0091": true, // demo/bootstrap.js
-    "7063952f3b36d62641cad4e4e5948572805cb1c7b5d6427d67c713bc342f9c64": true, // demo/hook-callback.js
+    "bc179f01b69e17edf957a10e7a681c9a5ee2cdd6d3ecc463ead645bf552014ff": true, // demo/hook-callback.js
     "0979646683bec9b9682d974d549effb61b1fc981ad87dac76d44d0440d87b396": true, // demo/hook-native-api.js
     "5b615aa885a0518466153be6ecb2cfeef1300f181ff60ca91cad964659c92052": true, // demo/hook-worker.js
     "c59d446ea931df28736d586dc2687731dadb733c3cfd644c7df3afb36a6ae39a": true, // demo/cache-bundle.js
@@ -33,7 +33,7 @@ else {
     "c135fd6ba3cad41e63985ecca191995bf311abc756c5f574ef5b641e7db56914": true, // (function writeln2() { console.log("no-hook script tag via document.writeln"); })()
     "e233738578fd7e8f2e961fb11885e2c187146314a8e3fc65692633ff89c5d34a": true, // (function writeln4() { console.log("no-hook script tag in div tag via document.writeln"); })()
     "4f0395d52a8c1c7edaacacade9c31fe18555b79ce963dfb1abaaa34990993374": true, // location = "about:blank";
-    "6d47d5f64e35d7c4e39570811791a0940593488d93c3a284e15c938ccb08ce9b": true, // demo/integrity.js
+    "806a0f6253b76ec357d15adefc5a67304847f18e2aa24d9bbc072a08935ec9b9": true, // demo/integrity.js
     "ba07654d1c24a271ba0fa7ee5c55cd60c02133b0e53cb6bb6e634da473b1e540": true, // demo/script-hashes.js
     "0242016e2887b322ab28b887f03779c63899db232bb036d794a0278db9e54339": true, // demo/content-loader.js
   };