Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Node.js adds a property called `domain` to promises

See original GitHub issue

Mark and I noticed that Node.js adds a property called domain to promises while running something from a REPL in SwingSet.

Mark says that domain leads to all sorts of objects whose semantics we haven’t inspected for safety. This is an authority leak. If SES can’t remove the domain property from all promises before the promise is exposed to user code, then this is a severe authority leak for SES as run on Node.js. Fortunately it seems to only be a problem when code is run from a REPL.

[edit 2020-09-15 @kriskowal]

SES will not be secure on Node.js until we have the means to disable domains. We must work with the Node.js project to reveal a command-line flag or the moral equivalent.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:32 (15 by maintainers)

github_iconTop GitHub Comments

1reaction
kriskowalcommented, Jul 22, 2021

One of the implicit albeit soft requirements is to avoid coupling SES to any particular module system. Currently, the same source works in a browser script, CJS, and ESM, since it’s just presenting its API as mutations to the global scope. This keeps the build system small and avoids initializing anything it doesn’t need.

I’m going to present a PR with the snippet above.

1reaction
kriskowalcommented, Jul 22, 2021

Now without caveats:

if (typeof process === 'object' && process !== null) {
  // Check whether domains were initialized:
  const domainDescriptor = Object.getOwnPropertyDescriptor(process, 'domain');
  if (domainDescriptor !== undefined && domainDescriptor.get !== undefined) {
    throw new Error(`SES cannot guarantee containment if Node.js domains have been installed`);
  }
  // Prevents domains from initializing:
  Object.defineProperty(process, 'domain', {value: null, configurable: false, writable: false, enumerable: false});
}
Read more comments on GitHub >

github_iconTop Results From Across the Web

Domain | Node.js v19.3.0 Documentation
Any Promise s created in VM contexts no longer have a .domain property. Their handlers are still executed in the proper domain, however,...
Read more >
NodeJS - Why current domain is undefined in Promise?
According to Node.js documentation module "domain" is deprecated with stability level 0. Better handle errors in another way ...
Read more >
Guide to promises in Node.js - LogRocket Blog
Promises are generally created by calling a Promise constructor, which accepts a single callback function as an argument. The callback function, ...
Read more >
AWS Lambda function handler in Node.js
The third argument, callback , is a function that you can call in non-async handlers to send a response. The callback function takes...
Read more >
JavaScript developer reference for Azure Functions
As an Express.js, Node.js, or JavaScript developer, if you're new to ... The name property defined in function.json doesn't need to match ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Endowments are not on the global

Next page

Questions and feedback