Skip to content

Commit

Permalink
fixup! unhardenable proxies refuse suppressTrapping
Browse files Browse the repository at this point in the history
  • Loading branch information
erights committed Jan 1, 2025
1 parent 5bc9589 commit 7c0edb8
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 6 deletions.
11 changes: 10 additions & 1 deletion packages/captp/src/trap.js
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,12 @@ export const nearTrapImpl = harden({
},
});

/** @type {ProxyHandler<any>} */
/**
* While the resulting proxy can be frozen, it refuses to be made non-trapping
* and so cannot be hardened.
*
* @type {ProxyHandler<any>}
*/
const baseFreezableProxyHandler = {
set(_target, _prop, _value) {
return false;
Expand All @@ -33,6 +38,10 @@ const baseFreezableProxyHandler = {
deleteProperty(_target, _prop) {
return false;
},
// @ts-expect-error suppressTrapping is not yet in the TS ProxyHandler
suppressTrapping(_target) {
return false;
},
};

/**
Expand Down
11 changes: 10 additions & 1 deletion packages/eventual-send/src/E.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,12 @@ const { assign, create, freeze } = Object;

const onSend = makeMessageBreakpointTester('ENDO_SEND_BREAKPOINTS');

/** @type {ProxyHandler<any>} */
/**
* While the resulting proxy can be frozen, it refuses to be made non-trapping
* and so cannot be hardened.
*
* @type {ProxyHandler<any>}
*/
const baseFreezableProxyHandler = {
set(_target, _prop, _value) {
return false;
Expand All @@ -24,6 +29,10 @@ const baseFreezableProxyHandler = {
deleteProperty(_target, _prop) {
return false;
},
// @ts-expect-error suppressTrapping is not yet in the TS ProxyHandler
suppressTrapping(_target) {
return false;
},
};

// E Proxy handlers pretend that any property exists on the target and returns
Expand Down
17 changes: 13 additions & 4 deletions packages/eventual-send/src/handled-promise.js
Original file line number Diff line number Diff line change
Expand Up @@ -307,23 +307,32 @@ export const makeHandledPromise = () => {
const { proxy: proxyOpts } = options;
let presence;
if (proxyOpts) {
// TODO for these cases, it will be unreasonably hard for all uses
// to avoid hardening the returned proxy.
const {
handler: proxyHandler,
target: proxyTarget,
revokerCallback,
} = proxyOpts;

// While the resulting proxy can be frozen, by default,
// it refuses to be made non-trapping and so cannot be hardened.
// However, we allow proxyOpts.proxyHandler to explicitly override
// this default `suppressTrapping`.
const fullProxyHandler = {
suppressTrapping(_target) {
return false;
},
...proxyHandler,
};
if (revokerCallback) {
// Create a proxy and its revoke function.
const { proxy, revoke } = Proxy.revocable(
proxyTarget,
proxyHandler,
fullProxyHandler,
);
presence = proxy;
revokerCallback(revoke);
} else {
presence = new Proxy(proxyTarget, proxyHandler);
presence = new Proxy(proxyTarget, fullProxyHandler);
}
} else {
// Default presence.
Expand Down
9 changes: 9 additions & 0 deletions packages/marshal/src/marshal-stringify.js
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ const doNotConvertValToSlot = val =>
const doNotConvertSlotToVal = (slot, _iface) =>
Fail`Marshal's parse must not encode any slots ${slot}`;

/**
* While the resulting proxy can be frozen, it refuses to be made non-trapping
* and so cannot be hardened.
*
* @type {ProxyHandler<any>}
*/
const badArrayHandler = harden({
get: (_target, name, _receiver) => {
if (name === 'length') {
Expand All @@ -23,6 +29,9 @@ const badArrayHandler = harden({
// `throw` is noop since `Fail` throws. But linter confused
throw Fail`Marshal's parse must not encode any slot positions ${name}`;
},
suppressTrapping(_target) {
return false;
},
});

// Note the use of `freeze` rather than `harden` below. This is because
Expand Down
9 changes: 9 additions & 0 deletions packages/ses/src/strict-scope-terminator.js
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ export const alwaysThrowHandler = new Proxy(
* scopeTerminatorHandler manages a strictScopeTerminator Proxy which serves as
* the final scope boundary that will always return "undefined" in order
* to prevent access to "start compartment globals".
*
* While the resulting proxy can be frozen, it refuses to be made non-trapping
* and so cannot be hardened.
*
* @type {ProxyHandler<any>}
*/
const scopeProxyHandlerProperties = {
get(_shadow, _prop) {
Expand Down Expand Up @@ -76,6 +81,10 @@ const scopeProxyHandlerProperties = {
ownKeys(_shadow) {
return [];
},

suppressTrapping(_target) {
return false;
},
};

// The scope handler's prototype is a proxy that throws if any trap other
Expand Down

0 comments on commit 7c0edb8

Please sign in to comment.