test_safe-getter.js (1657B)
1 /* eslint-disable strict */ 2 function run_test() { 3 Services.prefs.setBoolPref("security.allow_eval_with_system_principal", true); 4 registerCleanupFunction(() => { 5 Services.prefs.clearUserPref("security.allow_eval_with_system_principal"); 6 }); 7 const { addDebuggerToGlobal } = ChromeUtils.importESModule( 8 "resource://gre/modules/jsdebugger.sys.mjs" 9 ); 10 addDebuggerToGlobal(globalThis); 11 const g = createTestGlobal("test", { 12 chrome: true, 13 }); 14 const dbg = new Debugger(); 15 const gw = dbg.addDebuggee(g); 16 17 g.eval(` 18 // This is not a CCW. 19 Object.defineProperty(this, "bar", { 20 get: function() { return "bar"; }, 21 configurable: true, 22 enumerable: true 23 }); 24 25 const { XPCOMUtils } = ChromeUtils.importESModule( 26 "resource://gre/modules/XPCOMUtils.sys.mjs" 27 ); 28 29 // This is a CCW. 30 XPCOMUtils.defineLazyScriptGetter( 31 this, "foo", "chrome://global/content/viewZoomOverlay.js"); 32 `); 33 34 // Neither scripted getter should be considered safe. 35 assert(!DevToolsUtils.hasSafeGetter(gw.getOwnPropertyDescriptor("bar"))); 36 assert(!DevToolsUtils.hasSafeGetter(gw.getOwnPropertyDescriptor("foo"))); 37 38 // Create an object in a less privileged sandbox. 39 const obj = gw.makeDebuggeeValue( 40 Cu.waiveXrays( 41 Cu.Sandbox(null).eval(` 42 Object.defineProperty({}, "bar", { 43 get: function() { return "bar"; }, 44 configurable: true, 45 enumerable: true 46 }); 47 `) 48 ) 49 ); 50 51 // After waiving Xrays, the object has 2 wrappers. Both must be removed 52 // in order to detect that the getter is not safe. 53 assert(!DevToolsUtils.hasSafeGetter(obj.getOwnPropertyDescriptor("bar"))); 54 }