Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

console/inspect output for functions is misleading in Hardened JS #55924

Open
gibson042 opened this issue Nov 19, 2024 · 3 comments
Open

console/inspect output for functions is misleading in Hardened JS #55924

gibson042 opened this issue Nov 19, 2024 · 3 comments
Labels
util Issues and PRs related to the built-in util module.

Comments

@gibson042
Copy link

gibson042 commented Nov 19, 2024

Version

v22.11.0

Platform

Linux x86_64

Subsystem

util

What steps will reproduce the bug?

const obj = { m(){} };

console.log(obj); // => { m: [Function: m] }

// Mitigate the assignment override mistake for Function.prototype.constructor,
// allowing the prototype to be frozen.
// cf. https://github.com/endojs/endo/blob/b3f0c567/packages/ses/src/enable-property-overrides.js
{
  const { defineProperty, hasOwn } = Object;
  const BuiltinFunction = Function;
  const BuiltinFunctionPrototype = BuiltinFunction.prototype;
  const constructorKey = "constructor";
  Object.defineProperty(BuiltinFunctionPrototype, constructorKey, {
    get() {
      return BuiltinFunction;
    },
    // A setter is not necessary to trigger this bug, but demonstrates the
    // motivation for defining such accessors.
    set(value) {
      if (this === BuiltinFunctionPrototype) throw TypeError();
      if (hasOwn(this, constructorKey)) {
        this.constructor = value;
      } else {
        const desc = { value, writable: true, enumerable: true, configurable: true };
        defineProperty(this, constructorKey, desc);
      }
    },
  });
}

console.log(obj); // => { m: {} }

How often does it reproduce? Is there a required condition?

always

What is the expected behavior? Why is that the expected behavior?

I expect console.log({ m(){} }) output to always indicate that the value for property "m" is a function, even when Function.prototype.constructor is an accessor that won't be invoked.

What do you see instead?

Defining Function.prototype.constructor as an accessor replaces the useful output with text that makes it look like functions are plain objects.

-{ m: [Function: m] }
+{ m: {} }

Additional information

My proposed fix is updating lib/internal/util/inspect.js formatRaw to privilege the "is function" check over "constructor is Object" while preserving their rendering details:

if (constructor === 'Object') {
if (isArgumentsObject(value)) {
braces[0] = '[Arguments] {';
} else if (tag !== '') {
braces[0] = `${getPrefix(constructor, tag, 'Object')}{`;
}
if (keys.length === 0 && protoProps === undefined) {
return `${braces[0]}}`;
}
} else if (typeof value === 'function') {
base = getFunctionBase(value, constructor, tag);
if (keys.length === 0 && protoProps === undefined)
return ctx.stylize(base, 'special');

     keys = getKeys(value, ctx.showHidden);
     braces = ['{', '}'];
-    if (constructor === 'Object') {
+    if (typeof value === 'function') {
+      base = getFunctionBase(value, constructor, tag);
+      if (keys.length === 0 && protoProps === undefined)
+        return ctx.stylize(base, 'special');
+    } else if (constructor === 'Object') {
       if (isArgumentsObject(value)) {
         braces[0] = '[Arguments] {';
       } else if (tag !== '') {
         braces[0] = `${getPrefix(constructor, tag, 'Object')}{`;
       }
       if (keys.length === 0 && protoProps === undefined) {
         return `${braces[0]}}`;
       }
-    } else if (typeof value === 'function') {
-      base = getFunctionBase(value, constructor, tag);
-      if (keys.length === 0 && protoProps === undefined)
-        return ctx.stylize(base, 'special');
     } else if (isRegExp(value)) {

Doing so will still affect the console/inspect output, but in a way that no longer fails to indicates functionness:

-{ m: [Function: m] }
+{ m: [Function: m] Object }

(although I am also open to tweaking that as well).

@gibson042
Copy link
Author

A similar issue also exists one level down:

const obj = {};

console.log(obj); // => {}

{
  const BultinObjectPrototype = Object.prototype;
  Object.defineProperty(Object.prototype, "constructor", {
    get: () => BuiltinObjectPrototype,
  });
}

console.log(obj); // => Object <[Object: null prototype] {}> {}

Failure to establish a constructor name does not imply a null prototype.

@BridgeAR BridgeAR added the util Issues and PRs related to the built-in util module. label Nov 21, 2024
@BridgeAR
Copy link
Member

The way the constructor is replaced is tricky. Accessing the getter would trigger side effects and it's as such impossible to identify the constructor properly. We could explore to improve getConstructorName() to detect these as "unknown".

The suggestion for fixing functions is something we can do. The current order was for performance reasons, while it's not a big overhead to get the type of an argument.

@gibson042
Copy link
Author

gibson042 commented Nov 21, 2024

Thanks, that matches my understanding. Would it make sense for me to open a PR, or is there some process between here and there?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
util Issues and PRs related to the built-in util module.
Projects
None yet
Development

No branches or pull requests

2 participants