Node: Let's make a plan for bad getters and toString() methods
Version: master
Platform: all
Subsystem: src
It seems like these types of issues get opened pretty frequently. Node accepts an object as input, and one of the properties on that object is a getter that throws an error. Similar problems exist with toString() and others. It's usually reported as a security issue that bypasses JavaScript validation (when we have some in place) and crashes in the binding layer.
I tried to fix one such issue and was told that instead of fixing ad hoc, we should come up with a plan. I agree with that idea. So, let's come up with a plan. Should we ignore the problem? Ensure that getters and other potential problematic methods are corrected in the JS layer? Something else?
cjihrig
All 9 comments
/cc @tniessen
Trott
on 12 Apr 2017
I’m good with the approach that e.g. #12371 is taking – handle everything properly in the C++ layer, forwarding possible exceptions to JS if they are encountered.
addaleax
on 12 Apr 2017
Applied the "security" label as it may be concerned by this issue in, at least, some cases; please remove it if it's not relevant.
aqrln
on 12 Apr 2017
I think so far all collaborators have indicated in the discussions here that those issues can’t reasonably be considered security issues.
addaleax
on 12 Apr 2017
One (rather extreme) option is to:
- quit using
-fno-exceptionsfor Node's C++ code - throw C++ exceptions when JS exceptions occur
- catch and ignore the exception at the V8 callback interface.
DemiMarie
on 12 Apr 2017
I personally consider it a non-issue. I'd be more amenable if it was something you hit by accident but so far it's all been people playing at security researcher.
bnoordhuis
on 13 Apr 2017
I agree with @addaleax: I don't see a problem fixing it ad hoc, this does not appear to be a design problem. None of the reported issues I came across pose any real-world danger.
tniessen
on 13 Apr 2017
@tniessen By the way, your first comment (the one you deleted) about gradually updating everything to MaybeLocal<Value> is on the ball. It's happening slowly but surely whenever we make updates.
bnoordhuis
on 13 Apr 2017
Thanks for the feedback. I'll close the issue. Feel free to continue the discussion.
cjihrig
on 14 Apr 2017
Related issues
dfahlander
·
3Comments
danialkhansari
·
3Comments
stevenvachon
·
3Comments
willnwhite
·
3Comments
Icemic
·
3Comments
Most helpful comment
I personally consider it a non-issue. I'd be more amenable if it was something you hit by accident but so far it's all been people playing at security researcher.