[vulnerability][acl] Fix #341 Apply ACL to all sources of Object.assi…

…gn()
t2ym · Mar 3, 2020 · eb25f8e · eb25f8e
1 parent 9558349
commit eb25f8e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 10 deletions.
diff --git a/demo/hook-callback.js b/demo/hook-callback.js
@@ -5713,10 +5713,13 @@ else {
                       property = _p;
                       break;
                     case S_TARGETED:
-                      if (_args[1][1] instanceof Object || (_args[1][1] && typeof _args[1][1] === 'object')) {
-                        rawProperty = [];
-                        for (let i = 1; i < _args[1].length; i++) {
-                          let _obj = _args[1][i];
+                      rawProperty = [];
+                      for (let i = 1; i < _args[1].length; i++) {
+                        let _obj = _args[1][i];
+                        if (!_obj) {
+                          continue;
+                        }
+                        if (_obj instanceof Object || typeof _obj === 'object') {
                           let _name = _globalObjects.get(_obj);
                           let _isStatic = true;
                           let _isObject = false;
@@ -5730,8 +5733,8 @@ else {
                           // TODO: Are inherited properties targeted?
                           rawProperty = rawProperty.concat(Object.keys(_args[1][i]));
                         }
-                        property = rawProperty.map(p => _escapePlatformProperties.get(p) || p);
                       }
+                      property = rawProperty.map(p => _escapePlatformProperties.get(p) || p);
                       break;
                     case S_ALL:
                       property = _p;
@@ -7223,10 +7226,13 @@ else {
                       property = _p;
                       break;
                     case S_TARGETED:
-                      if (_args[1][1] instanceof Object || (_args[1][1] && typeof _args[1][1] === 'object')) {
-                        rawProperty = [];
-                        for (let i = 1; i < _args[1].length; i++) {
-                          let _obj = _args[1][i];
+                      rawProperty = [];
+                      for (let i = 1; i < _args[1].length; i++) {
+                        let _obj = _args[1][i];
+                        if (!_obj) {
+                          continue;
+                        }
+                        if (_obj instanceof Object || typeof _obj === 'object') {
                           let _name = _globalObjects.get(_obj);
                           let _isStatic = true;
                           let _isObject = false;
@@ -7240,8 +7246,8 @@ else {
                           // TODO: Are inherited properties targeted?
                           rawProperty = rawProperty.concat(Object.keys(_args[1][i]));
                         }
-                        property = rawProperty.map(p => _escapePlatformProperties.get(p) || p);
                       }
+                      property = rawProperty.map(p => _escapePlatformProperties.get(p) || p);
                       break;
                     case S_ALL:
                       property = _p;

diff --git a/demo/normalize.js b/demo/normalize.js
@@ -3022,6 +3022,10 @@
     accessor: { get: function () { return this.property2; }, set: function (value) { this.property2 = value; }, configurable: true, enumerable: true },
   }).accessor = 2; // write this own accessor
 
+  chai.assert.throws(() => {
+    Object.assign({}, undefined, window);
+  }, /^Permission Denied: Cannot access window/);
+
   /*
   let NoAclGlobalObject = {
     property: 1,