Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Module statics are like unhardened primordials
See original GitHub issuecommons.js mostly exports primordials that will get hardened at lockdown. However, it also defines and exports some of its own functions such as
which are potentially as global as shared primordials, and which it does not itself harden, or effectively harden by manual freezing. In theory this is not a security problem because these are not actually shared primordials, and should not be implicitly accessible from non-start compartments. This may be correct, but is an unnecessary hazard. Since commons.js must initialize before lockdown, it cannot actually use harden to fix this hazard. However, it should manually freeze enough to get the same effect. In particular, uncurryThis should freeze the function it returns.
I noticed this during https://github.com/endojs/endo/pull/888 which does not itself do anything to fix this hazard, but does propagate this hazard to one additional function.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
See https://github.com/endojs/endo/pull/892
Doesn’t stop
because we could still harden the values of those properties, addressing the immediate point.
What is the status of this?