Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

review or replace object-inspect.js used by xsnap console #4814

Closed
warner opened this issue Mar 10, 2022 · 1 comment · Fixed by #4767
Closed

review or replace object-inspect.js used by xsnap console #4814

warner opened this issue Mar 10, 2022 · 1 comment · Fixed by #4767
Assignees
@michaelfig
Labels
enhancement New feature or request xsnap the XS execution tool
Milestone
Mainnet 1 RC0

Comments

@warner
Copy link
Member

warner commented Mar 10, 2022

What is the Problem Being Solved?

In #4364, we changed the xsnap console renderer. Previously, it used the assert.quote function from SES, which grounds out in bestEffortStringify(), which is basically a JSON encoder with a replacer that handles non-JSON things like undefined. After #4364, it used a vendored copy of object-inspect.js (taken from the NPM object-inspect package), which should be pretty close to what Node.js uses for its own console global.

During the resulting discussion (Agoric folks can look at #eng_ses_internal on 08-feb-2022), @erights and @dckc expressed concern about object-internal.js. We didn't come to a consensus before we had to move on, but I think our general opinion was that we must either do a line-by-line review of object-internal.js, or write our own version of it (and use that version to replace assert.quote, making it more readable in the process).

The concerns are:

  • object-internal.js runs in the start compartment as a vetted shim, so obviously has a lot of power
  • the behavior must be a deterministic function of the inputs to a single console.* call
    • there must be no information or determinism leakage between multiple calls
      • (the implementation needs a WeakSet to tolerate cycles, but this should be scoped to a single call)
    • callers will receive a hardened console object and will not have access to a clock or weakrefs
    • however callers might supply a Proxy, or objects with getters, in an attempt to confuse the console
  • the console should bottom out in a function that delivers one string per console.log() invocation
    • we might route these strings to the kernel process for inclusion in debug logs, and/or write them to stdout/stderr, and/or drop them
    • the renderer's behavior and metering should not depend upon what happens after it emits the string
    • it must emit strings even if the caller attempts to trick it with Proxies or getters
  • the inputs to console.* might not be hardened, and console.* must not harden them

Description of the Design

Security Considerations

Test Plan
@warner warner added enhancement New feature or request xsnap the XS execution tool labels Mar 10, 2022
@warner warner mentioned this issue Mar 10, 2022
Merged
@dckc
Copy link
Member

dckc commented Mar 10, 2022

As noted in #4767 , @michaelfig and I have been using #2146 for this. A little redundancy doesn't hurt, I suppose. This is probably more clear. In particular, I neglected to add a comment to #2146 telling the story above.

@michaelfig michaelfig mentioned this issue Mar 10, 2022
Merged
@michaelfig michaelfig mentioned this issue Mar 11, 2022
Closed
@Tartuffo Tartuffo added this to the Mainnet 1 milestone Mar 23, 2022
@mergify mergify bot closed this as completed in #4767 Apr 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelfig michaelfig

Labels
enhancement New feature or request xsnap the XS execution tool
Projects
None yet
Milestone
Mainnet 1 RC0
Development

Successfully merging a pull request may close this issue.

Rework xsnap/src/object-inspect.js Agoric/agoric-sdk
4 participants
@warner @dckc @michaelfig @Tartuffo