feat(ses,pass-style): use no-trapping integrity level for safety

Author: erights

packages/ses/package.json

@@ -85,7 +85,8 @@
     "postpack": "git clean -f '*.d.ts*' '*.tsbuildinfo'"
   },
   "dependencies": {
-    "@endo/env-options": "workspace:^"
+    "@endo/env-options": "workspace:^",
+    "@endo/no-trapping-shim": "^0.1.0"
   },
   "devDependencies": {
     "@endo/compartment-mapper": "workspace:^",

packages/ses/src/commons.js

@@ -14,6 +14,8 @@
 /* global globalThis */
 /* eslint-disable no-restricted-globals */
 
+import '@endo/no-trapping-shim/shim.js';
+
 // We cannot use globalThis as the local name since it would capture the
 // lexical name.
 const universalThis = globalThis;
@@ -75,6 +77,11 @@ export const {
   setPrototypeOf,
   values,
   fromEntries,
+  // https://github.com/endojs/endo/pull/2673
+  // @ts-expect-error TS does not yet have this on ObjectConstructor.
+  isNoTrapping,
+  // @ts-expect-error TS does not yet have this on ObjectConstructor.
+  suppressTrapping,
 } = Object;
 
 export const {
@@ -125,6 +132,11 @@ export const {
   ownKeys,
   preventExtensions: reflectPreventExtensions,
   set: reflectSet,
+  // https://github.com/endojs/endo/pull/2673
+  // @ts-expect-error TS does not yet have this on typeof Reflect.
+  isNoTrapping: reflectIsNoTrapping,
+  // @ts-expect-error TS does not yet have this on typeof Reflect.
+  suppressTrapping: reflectSuppressTrapping,
 } = Reflect;
 
 export const { isArray, prototype: arrayPrototype } = Array;

packages/ses/src/make-hardener.js

@@ -30,7 +30,6 @@ import {
   apply,
   arrayForEach,
   defineProperty,
-  freeze,
   getOwnPropertyDescriptor,
   getOwnPropertyDescriptors,
   getPrototypeOf,
@@ -49,6 +48,8 @@ import {
   FERAL_STACK_GETTER,
   FERAL_STACK_SETTER,
   isError,
+  isFrozen,
+  suppressTrapping,
 } from './commons.js';
 import { assert } from './error/assert.js';
 
@@ -182,8 +183,17 @@ export const makeHardener = () => {
         // Also throws if the object is an ArrayBuffer or any TypedArray.
         if (isTypedArray(obj)) {
           freezeTypedArray(obj);
+          if (isFrozen(obj)) {
+            // After `freezeTypedArray`, the typed array might actually be
+            // frozen if
+            // - it has no indexed properties
+            // - it is backed by an Immutable ArrayBuffer as proposed.
+            // In either case, this makes it a candidate to be made
+            // non-trapping.
+            suppressTrapping(obj);
+          }
         } else {
-          freeze(obj);
+          suppressTrapping(obj);
         }
 
         // we rely upon certain commitments of Object.freeze and proxies here

packages/ses/src/permits.js

@@ -488,6 +488,9 @@ export const permitted = {
     groupBy: fn,
     // Seen on QuickJS
     __getClass: false,
+    // https://github.com/endojs/endo/pull/2673
+    isNoTrapping: fn,
+    suppressTrapping: fn,
   },
 
   '%ObjectPrototype%': {
@@ -1624,12 +1627,17 @@ export const permitted = {
     set: fn,
     setPrototypeOf: fn,
     '@@toStringTag': 'string',
+    // https://github.com/endojs/endo/pull/2673
+    isNoTrapping: fn,
+    suppressTrapping: fn,
   },
 
   Proxy: {
     // Properties of the Proxy Constructor
     '[[Proto]]': '%FunctionPrototype%',
     revocable: fn,
+    // https://github.com/endojs/endo/pull/2673
+    prototype: 'undefined',
   },
 
   // Appendix B

yarn.lock

@@ -702,7 +702,7 @@ __metadata:
   languageName: unknown
   linkType: soft
 
-"@endo/no-trapping-shim@workspace:packages/no-trapping-shim":
+"@endo/no-trapping-shim@npm:^0.1.0, @endo/no-trapping-shim@workspace:packages/no-trapping-shim":
   version: 0.0.0-use.local
   resolution: "@endo/no-trapping-shim@workspace:packages/no-trapping-shim"
   dependencies:
@@ -8960,6 +8960,7 @@ __metadata:
     "@endo/compartment-mapper": "workspace:^"
     "@endo/env-options": "workspace:^"
     "@endo/module-source": "workspace:^"
+    "@endo/no-trapping-shim": "npm:^0.1.0"
     "@endo/test262-runner": "workspace:^"
     ava: "npm:^6.1.3"
     babel-eslint: "npm:^10.1.0"