fix(ses): plug implicit NaN side-channel

Author: erights

packages/eslint-plugin/lib/configs/recommended.js

@@ -17,6 +17,15 @@ module.exports = {
     URL: 'readonly',
     URLSearchParams: 'readonly',
 
+    // These have been moved out of the list below because they open
+    // the NaN side channel on some platforms, and so are not considered
+    // powerless.
+    //
+    // https://github.com/tc39/proposal-float16array
+    Float16Array: 'readonly',
+    Float32Array: 'readonly',
+    Float64Array: 'readonly',
+
     // Allow what SES makes powerless, copied from its whitelist
     // *** Constructor Properties of the Global Object
     Array: 'readonly',
@@ -27,8 +36,6 @@ module.exports = {
     Boolean: 'readonly',
     DataView: 'readonly',
     EvalError: 'readonly',
-    Float32Array: 'readonly',
-    Float64Array: 'readonly',
     Int8Array: 'readonly',
     Int16Array: 'readonly',
     Int32Array: 'readonly',

packages/eslint-plugin/lib/configs/ses.js

@@ -13,7 +13,7 @@ module.exports = {
   extends: ['plugin:@endo/internal'],
   rules: {
     'no-restricted-globals': [
-      'error',
+      'error', // TODO why is this here?
       'AggregateError',
       'Array',
       'ArrayBuffer',
@@ -27,6 +27,8 @@ module.exports = {
       'Date',
       'Error',
       'EvalError',
+      // https://github.com/tc39/proposal-float16array
+      'Float16Array',
       'Float32Array',
       'Float64Array',
       'Function',

packages/harden/test/make-hardener-shallow.test.js

@@ -76,6 +76,10 @@ test('harden typed arrays', t => {
     Uint8Array,
     Uint8ClampedArray,
   ];
+  if (typeof Float16Array !== 'undefined') {
+    // https://github.com/tc39/proposal-float16array
+    typedArrayConstructors.push(Float16Array);
+  }
 
   for (const TypedArray of typedArrayConstructors) {
     const h = makeHardener({ traversePrototypes: false });

packages/harden/test/make-hardener.test.js

@@ -76,6 +76,10 @@ test('harden typed arrays', t => {
     Uint8Array,
     Uint8ClampedArray,
   ];
+  if (typeof Float16Array !== 'undefined') {
+    // https://github.com/tc39/proposal-float16array
+    typedArrayConstructors.push(Float16Array);
+  }
 
   for (const TypedArray of typedArrayConstructors) {
     const h = makeHardener({ traversePrototypes: true });

packages/ses/src/permits.js

@@ -59,10 +59,7 @@ export const universalPropertyNames = {
   Boolean: 'Boolean',
   DataView: 'DataView',
   EvalError: 'EvalError',
-  // https://github.com/tc39/proposal-float16array
-  Float16Array: 'Float16Array',
-  Float32Array: 'Float32Array',
-  Float64Array: 'Float64Array',
+
   Int8Array: 'Int8Array',
   Int16Array: 'Int16Array',
   Int32Array: 'Int32Array',
@@ -144,6 +141,18 @@ export const initialGlobalPropertyNames = {
 
   Math: '%InitialMath%',
 
+  // We move these from universalPropertyNames because the NaN side channel
+  // means that they are not quite harmless.
+  // We move them to initialGlobalPropertyNames so that they'll still be
+  // included in the primordials, repaired, and hardened. Thus, they
+  // can be endowed into compartments without hazard beyond the
+  // NaN side channel.
+  //
+  // // https://github.com/tc39/proposal-float16array
+  Float16Array: 'Float16Array',
+  Float32Array: 'Float32Array',
+  Float64Array: 'Float64Array',
+
   // ESNext
 
   // From Error-stack proposal

packages/ses/test/float-arrays.test.js

@@ -0,0 +1,42 @@
+import test from 'ava';
+import '../index.js';
+
+// The Float*Arrays are not fully harmless because they open a NaN side-channel
+// on some implementations like v8. However, they are still in the
+// start compartment, the intrinsics, and therefore repaired and frozen. They
+// are not endowed to constructed compartments by default, but can be
+// explicitly endowed.
+// The Int*Arrays remain fully harmless and universal.
+//
+test('float arrays in compartments', t => {
+  t.false(Object.isFrozen(Float64Array));
+  t.false(Object.isFrozen(Int32Array));
+  lockdown();
+  t.true(Object.isFrozen(Float64Array));
+  t.true(Object.isFrozen(Int32Array));
+
+  const c1 = new Compartment();
+  const c2 = new Compartment({
+    __options__: true,
+    globals: { Float64Array },
+  });
+
+  t.false('Float64Array' in c1.globalThis);
+  t.true('Int32Array' in c1.globalThis);
+  t.true('Float64Array' in c2.globalThis);
+
+  t.is(c1.evaluate('Float64Array'), undefined);
+  t.is(c1.evaluate('Int32Array'), Int32Array);
+  t.is(c2.evaluate('Float64Array'), Float64Array);
+
+  t.throws(
+    () => {
+      c1.evaluate(`new Float64Array()`);
+    },
+    {
+      message: 'Float64Array is not a constructor',
+    },
+  );
+  t.true(c1.evaluate('new Int32Array()') instanceof Int32Array);
+  t.true(c2.evaluate('new Float64Array()') instanceof Float64Array);
+});

packages/ses/test/is-typed-array.test.js

@@ -17,6 +17,10 @@ test('isTypedArray positive cases', t => {
   t.assert(isTypedArray(new Uint16Array()));
   t.assert(isTypedArray(new Int32Array()));
   t.assert(isTypedArray(new Uint32Array()));
+  if (typeof Float16Array !== 'undefined') {
+    // https://github.com/tc39/proposal-float16array
+    t.assert(isTypedArray(new Float16Array()));
+  }
   t.assert(isTypedArray(new Float32Array()));
   t.assert(isTypedArray(new Float64Array()));
   t.assert(isTypedArray(new BigInt64Array()));

packages/ses/test/make-hardener.test.js

@@ -77,6 +77,10 @@ test('harden typed arrays', t => {
     Uint8Array,
     Uint8ClampedArray,
   ];
+  if (typeof Float16Array !== 'undefined') {
+    // https://github.com/tc39/proposal-float16array
+    typedArrayConstructors.push(Float16Array);
+  }
 
   for (const TypedArray of typedArrayConstructors) {
     const h = makeHardener();