Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prohibit Object methods being called through IPC #6780

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Prohibit Object methods being called through IPC #6780

wants to merge 7 commits into from

Conversation

GytisCepk
Copy link
Contributor

@GytisCepk GytisCepk commented May 31, 2024
edited
Loading

Motivation

IPC expects only methods defined in a custom IPC interface to be called, but it does not account for all other methods defined in an IPC handler. For this reason, it is possible to execute methods that exist in the IPC handler but are not intended to be called from the frontend. This includes all methods inherited from the Object and any methods defined as private in TypeScript code.

This could be exploited by malicious party to weaken security (work item for more details).

Changes

Changes in this PR prevent methods inherited from Object class (e.g.: toString, __defineSetter__) from being called through IPC.

It would be great to also prohibit private methods in custom IPC handlers from being callable, but it's not possible, since, if they are defined private in TypeScript, this information is not available during runtime. Added a recommendation to the documentation to either remove private methods from IPC handlers or define them as JavaScript private properties.

@GytisCepk GytisCepk requested review from a team as code owners May 31, 2024 14:16
@pmconne
Copy link
Member

pmconne commented May 31, 2024

Your PR description should specify why you want to do this.

@GytisCepk
Copy link
Contributor Author

Your PR description should specify why you want to do this.

Updated description.

pmconne
pmconne requested changes Jun 3, 2024
View reviewed changes
Copy link
Member

@pmconne pmconne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to discuss with @wgoehrig first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmconne pmconne pmconne requested changes

@aruniverse aruniverse aruniverse approved these changes

@RBBentley RBBentley Awaiting requested review from RBBentley RBBentley is a code owner automatically assigned from iTwin/itwinjs-core

@khanaffan khanaffan Awaiting requested review from khanaffan khanaffan is a code owner automatically assigned from iTwin/itwinjs-core

@calebmshafer calebmshafer Awaiting requested review from calebmshafer calebmshafer is a code owner automatically assigned from iTwin/itwinjs-core

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@GytisCepk @pmconne @aruniverse