tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_bug809652.js (2497B)

      1 /* This Source Code Form is subject to the terms of the Mozilla Public
      2 * License, v. 2.0. If a copy of the MPL was not distributed with this
      3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      4 
      5 /* See https://bugzilla.mozilla.org/show_bug.cgi?id=813901 */
      6 
      7 const TypedArrays = [ Int8Array, Uint8Array, Int16Array, Uint16Array,
      8                      Int32Array, Uint32Array, Float32Array, Float64Array,
      9                      Uint8ClampedArray ];
     10 
     11 // Make sure that the correct nativecall-y stuff is denied on security wrappers.
     12 
     13 function run_test() {
     14 
     15  var sb = new Cu.Sandbox('http://www.example.org');
     16  sb.obj = {foo: 2};
     17 
     18  /* Set up some typed arrays. */
     19  sb.ab = new ArrayBuffer(8);
     20  for (var i = 0; i < 8; ++i)
     21    new Uint8Array(sb.ab)[i] = i * 10;
     22  sb.ta = [];
     23  TypedArrays.forEach(f => sb.ta.push(new f(sb.ab)));
     24  sb.dv = new DataView(sb.ab);
     25 
     26  /* Things that should throw. */
     27  checkThrows("Object.prototype.__lookupSetter__('__proto__').call(obj, {});", sb);
     28  sb.re = /f/;
     29  checkThrows("RegExp.prototype.exec.call(re, 'abcdefg').index", sb);
     30  sb.d = new Date();
     31  checkThrows("Date.prototype.setYear.call(d, 2011)", sb);
     32  sb.m = new Map();
     33  checkThrows("(new Map()).clear.call(m)", sb);
     34  checkThrows("ArrayBuffer.prototype.__lookupGetter__('byteLength').call(ab);", sb);
     35  checkThrows("ArrayBuffer.prototype.slice.call(ab, 0);", sb);
     36  checkThrows("DataView.prototype.getInt8.call(dv, 0);", sb);
     37 
     38  /* Now that Date is on Xrays, these should all throw. */
     39  checkThrows("Date.prototype.getYear.call(d)", sb);
     40  checkThrows("Date.prototype.valueOf.call(d)", sb);
     41  checkThrows("d.valueOf()", sb);
     42  checkThrows("d.toString()", sb);
     43 
     44  /* Typed arrays. */
     45  function testForTypedArray(t) {
     46    sb.curr = t;
     47    sb.currName = t.constructor.name;
     48    checkThrows("this[currName].prototype.subarray.call(curr, 0)[0]", sb);
     49    checkThrows("(new this[currName]).__lookupGetter__('length').call(curr)", sb);
     50    checkThrows("(new this[currName]).__lookupGetter__('buffer').call(curr)", sb);
     51    checkThrows("(new this[currName]).__lookupGetter__('byteOffset').call(curr)", sb);
     52    checkThrows("(new this[currName]).__lookupGetter__('byteLength').call(curr)", sb);
     53  }
     54  sb.ta.forEach(testForTypedArray);
     55 }
     56 
     57 function checkThrows(expression, sb) {
     58  var result = Cu.evalInSandbox('(function() { try { ' + expression + '; return "allowed"; } catch (e) { return e.toString(); }})();', sb);
     59  dump('result: ' + result + '\n\n\n');
     60  Assert.ok(!!/denied/.exec(result));
     61 }