feat(ses,pass-style): use no-trapping integrity level for safety

Author: erights

packages/eventual-send/src/E.js

@@ -2,7 +2,7 @@ import { trackTurns } from './track-turns.js';
 import { makeMessageBreakpointTester } from './message-breakpoints.js';
 
 const { details: X, quote: q, Fail, error: makeError } = assert;
-const { assign, create } = Object;
+const { assign, create, freeze } = Object;
 
 /**
  * @import { HandledPromiseConstructor } from './types.js';
@@ -171,7 +171,14 @@ const makeEGetProxyHandler = (x, HandledPromise) =>
  * @param {HandledPromiseConstructor} HandledPromise
  */
 const makeE = HandledPromise => {
-  return harden(
+  // Note the use of `freeze` rather than `harden` below. This is because
+  // `harden` now implies no-trapping, and we depend on proxies with these
+  // almost-empty targets to remain trapping for traps `get`, `apply`, and `set`
+  // which can still be interesting even when the target is frozen.
+  // `get` and `has`, if not naming an own property, are still general traps,
+  // which we rely on. `apply`, surprisingly perhaps, is free to ignore the
+  // target's call behavior and just do its own thing instead.
+  return freeze(
     assign(
       /**
        * E(x) returns a proxy on which you can call arbitrary methods. Each of these
@@ -183,7 +190,7 @@ const makeE = HandledPromise => {
        * @returns {ECallableOrMethods<RemoteFunctions<T>>} method/function call proxy
        */
       // @ts-expect-error XXX typedef
-      x => harden(new Proxy(() => {}, makeEProxyHandler(x, HandledPromise))),
+      x => freeze(new Proxy(() => {}, makeEProxyHandler(x, HandledPromise))),
       {
         /**
          * E.get(x) returns a proxy on which you can get arbitrary properties.
@@ -198,7 +205,7 @@ const makeE = HandledPromise => {
          */
         get: x =>
           // @ts-expect-error XXX typedef
-          harden(
+          freeze(
             new Proxy(create(null), makeEGetProxyHandler(x, HandledPromise)),
           ),
 
@@ -224,7 +231,7 @@ const makeE = HandledPromise => {
          */
         sendOnly: x =>
           // @ts-expect-error XXX typedef
-          harden(
+          freeze(
             new Proxy(() => {}, makeESendOnlyProxyHandler(x, HandledPromise)),
           ),
 

packages/exo/src/exo-makers.js

@@ -8,7 +8,14 @@ import { defendPrototype, defendPrototypeKit } from './exo-tools.js';
  * @import {Amplify, ExoClassKitMethods, ExoClassMethods, FarClassOptions, Guarded, GuardedKit, ExoClassInterfaceGuardKit, IsInstance, KitContext, ExoClassInterfaceGuard, Methods, FacetName} from './types.js';
  */
 
-const { create, seal, freeze, defineProperty, values } = Object;
+const {
+  create,
+  seal,
+  defineProperty,
+  values,
+  // @ts-expect-error TS doesn't know this is on ObjectConstructor
+  suppressTrapping,
+} = Object;
 
 // Turn on to give each exo instance its own toStringTag value.
 const LABEL_INSTANCES = environmentOptionsListHas('DEBUG', 'label-instances');
@@ -92,7 +99,7 @@ export const defineExoClass = (
 
     // Be careful not to freeze the state record
     /** @type {import('./types.js').ClassContext<ReturnType<I>,M>} */
-    const context = freeze({ state, self });
+    const context = suppressTrapping({ state, self });
     contextMap.set(self, context);
     if (finish) {
       finish(context);
@@ -173,7 +180,7 @@ export const defineExoClassKit = (
     });
     context.facets = facets;
     // Be careful not to freeze the state record
-    freeze(context);
+    suppressTrapping(context);
     if (finish) {
       finish(context);
     }

packages/far/test/marshal-far-function.test.js

@@ -58,7 +58,7 @@ test('Data can contain far functions', t => {
   const arrow = Far('arrow', a => a + 1);
   t.is(passStyleOf(harden({ x: 8, foo: arrow })), 'copyRecord');
   const mightBeMethod = a => a + 1;
-  t.throws(() => passStyleOf(freeze({ x: 8, foo: mightBeMethod })), {
+  t.throws(() => passStyleOf(harden({ x: 8, foo: mightBeMethod })), {
     message: /Remotables with non-methods like "x" /,
   });
 });

packages/marshal/src/encodeToCapData.js

@@ -30,7 +30,8 @@ const {
   is,
   entries,
   fromEntries,
-  freeze,
+  // @ts-expect-error TS doesn't know this is on ObjectConstructor
+  suppressTrapping,
 } = Object;
 
 /**
@@ -176,10 +177,10 @@ export const makeEncodeToCapData = (encodeOptions = {}) => {
             // We harden the entire capData encoding before we return it.
             // `encodeToCapData` requires that its input be Passable, and
             // therefore hardened.
-            // The `freeze` here is needed anyway, because the `rest` is
+            // The `suppressTrapping` here is needed anyway, because the `rest` is
             // freshly constructed by the `...` above, and we're using it
             // as imput in another call to `encodeToCapData`.
-            result.rest = encodeToCapDataRecur(freeze(rest));
+            result.rest = encodeToCapDataRecur(suppressTrapping(rest));
           }
           return result;
         }

packages/marshal/src/marshal-stringify.js

@@ -5,6 +5,8 @@ import { makeMarshal } from './marshal.js';
 
 /** @import {Passable} from '@endo/pass-style' */
 
+const { freeze } = Object;
+
 /** @type {import('./types.js').ConvertValToSlot<any>} */
 const doNotConvertValToSlot = val =>
   Fail`Marshal's stringify rejects presences and promises ${val}`;
@@ -23,7 +25,13 @@ const badArrayHandler = harden({
   },
 });
 
-const badArray = harden(new Proxy(harden([]), badArrayHandler));
+// Note the use of `freeze` rather than `harden` below. This is because
+// `harden` now implies no-trapping, and we depend on proxies with these
+// almost-empty targets to remain trapping for the `get` trap
+// which can still be interesting even when the target is frozen.
+// `get`, if not naming an own property, are still general traps,
+// which we rely on.
+const badArray = freeze(new Proxy(freeze([]), badArrayHandler));
 
 const { serialize, unserialize } = makeMarshal(
   doNotConvertValToSlot,
@@ -48,7 +56,13 @@ harden(stringify);
  */
 const parse = str =>
   unserialize(
-    harden({
+    // Note the use of `freeze` rather than `harden` below. This is because
+    // `harden` now implies no-trapping, and we depend on proxies with these
+    // almost-empty targets to remain trapping for the `get` trap
+    // which can still be interesting even when the target is frozen.
+    // `get`, if not naming an own property, are still general traps,
+    // which we rely on.
+    freeze({
       body: str,
       slots: badArray,
     }),

packages/marshal/test/marshal-far-function.test.js

@@ -60,7 +60,7 @@ test('Data can contain far functions', t => {
   const arrow = Far('arrow', a => a + 1);
   t.is(passStyleOf(harden({ x: 8, foo: arrow })), 'copyRecord');
   const mightBeMethod = a => a + 1;
-  t.throws(() => passStyleOf(freeze({ x: 8, foo: mightBeMethod })), {
+  t.throws(() => passStyleOf(harden({ x: 8, foo: mightBeMethod })), {
     message: /Remotables with non-methods like "x" /,
   });
 });

packages/pass-style/src/passStyle-helpers.js

@@ -11,8 +11,9 @@ const {
   getOwnPropertyDescriptor,
   getPrototypeOf,
   hasOwnProperty: objectHasOwnProperty,
-  isFrozen,
   prototype: objectPrototype,
+  // @ts-expect-error TS does not yet have `isNoTrapping` on ObjectConstructor
+  isNoTrapping,
 } = Object;
 const { apply } = Reflect;
 const { toStringTag: toStringTagSymbol } = Symbol;
@@ -165,7 +166,7 @@ const makeCheckTagRecord = checkProto => {
       (isObject(tagRecord) ||
         (!!check &&
           CX(check)`A non-object cannot be a tagRecord: ${tagRecord}`)) &&
-      (isFrozen(tagRecord) ||
+      (isNoTrapping(tagRecord) ||
         (!!check && CX(check)`A tagRecord must be frozen: ${tagRecord}`)) &&
       (!isArray(tagRecord) ||
         (!!check && CX(check)`An array cannot be a tagRecord: ${tagRecord}`)) &&

packages/pass-style/src/passStyleOf.js

@@ -31,7 +31,12 @@ import { assertPassableString } from './string.js';
 /** @typedef {Exclude<PassStyle, PrimitiveStyle | "promise">} HelperPassStyle */
 
 const { ownKeys } = Reflect;
-const { isFrozen, getOwnPropertyDescriptors, values } = Object;
+const {
+  getOwnPropertyDescriptors,
+  values,
+  // @ts-expect-error TS does not yet have `isNoTrapping` on ObjectConstructor
+  isNoTrapping,
+} = Object;
 
 /**
  * @param {PassStyleHelper[]} passStyleHelpers
@@ -143,7 +148,7 @@ const makePassStyleOf = passStyleHelpers => {
           if (inner === null) {
             return 'null';
           }
-          if (!isFrozen(inner)) {
+          if (!isNoTrapping(inner)) {
             assert.fail(
               // TypedArrays get special treatment in harden()
               // and a corresponding special error message here.
@@ -177,7 +182,7 @@ const makePassStyleOf = passStyleHelpers => {
           return 'remotable';
         }
         case 'function': {
-          isFrozen(inner) ||
+          isNoTrapping(inner) ||
             Fail`Cannot pass non-frozen objects like ${inner}. Use harden()`;
           typeof inner.then !== 'function' ||
             Fail`Cannot pass non-promise thenables`;

packages/pass-style/src/remotable.js

@@ -24,9 +24,10 @@ const { ownKeys } = Reflect;
 const { isArray } = Array;
 const {
   getPrototypeOf,
-  isFrozen,
   prototype: objectPrototype,
   getOwnPropertyDescriptors,
+  // @ts-expect-error TS does not yet have `isNoTrapping` on ObjectConstructor
+  isNoTrapping,
 } = Object;
 
 /**
@@ -154,7 +155,7 @@ const checkRemotable = (val, check) => {
   if (confirmedRemotables.has(val)) {
     return true;
   }
-  if (!isFrozen(val)) {
+  if (!isNoTrapping(val)) {
     return (
       !!check && CX(check)`cannot serialize non-frozen objects like ${val}`
     );

packages/pass-style/src/safe-promise.js

@@ -6,7 +6,12 @@ import { assertChecker, hasOwnPropertyOf, CX } from './passStyle-helpers.js';
 
 /** @import {Checker} from './types.js' */
 
-const { isFrozen, getPrototypeOf, getOwnPropertyDescriptor } = Object;
+const {
+  getPrototypeOf,
+  getOwnPropertyDescriptor,
+  // @ts-expect-error TS does not yet have `isNoTrapping` on ObjectConstructor
+  isNoTrapping,
+} = Object;
 const { ownKeys } = Reflect;
 const { toStringTag } = Symbol;
 
@@ -88,7 +93,7 @@ const checkPromiseOwnKeys = (pr, check) => {
     if (
       typeof val === 'object' &&
       val !== null &&
-      isFrozen(val) &&
+      isNoTrapping(val) &&
       getPrototypeOf(val) === Object.prototype
     ) {
       const subKeys = ownKeys(val);
@@ -132,7 +137,7 @@ const checkPromiseOwnKeys = (pr, check) => {
  */
 const checkSafePromise = (pr, check) => {
   return (
-    (isFrozen(pr) || CX(check)`${pr} - Must be frozen`) &&
+    (isNoTrapping(pr) || CX(check)`${pr} - Must be frozen`) &&
     (isPromise(pr) || CX(check)`${pr} - Must be a promise`) &&
     (getPrototypeOf(pr) === Promise.prototype ||
       CX(check)`${pr} - Must inherit from Promise.prototype: ${q(

packages/pass-style/test/passStyleOf.test.js

@@ -13,7 +13,7 @@ const harden = /** @type {import('ses').Harden & { isFake?: boolean }} */ (
   global.harden
 );
 
-const { getPrototypeOf, defineProperty } = Object;
+const { getPrototypeOf, defineProperty, suppressTrapping } = Object;
 const { ownKeys } = Reflect;
 
 test('passStyleOf basic success cases', t => {
@@ -200,7 +200,7 @@ test('passStyleOf testing remotables', t => {
 
   const tagRecord2 = makeTagishRecord('Alleged: tagRecord not hardened');
   /** @type {any} UNTIL https://github.com/microsoft/TypeScript/issues/38385 */
-  const farObj2 = Object.freeze({
+  const farObj2 = suppressTrapping({
     __proto__: tagRecord2,
   });
   if (harden.isFake) {
@@ -212,11 +212,11 @@ test('passStyleOf testing remotables', t => {
     });
   }
 
-  const tagRecord3 = Object.freeze(
+  const tagRecord3 = suppressTrapping(
     makeTagishRecord('Alleged: both manually frozen'),
   );
   /** @type {any} UNTIL https://github.com/microsoft/TypeScript/issues/38385 */
-  const farObj3 = Object.freeze({
+  const farObj3 = suppressTrapping({
     __proto__: tagRecord3,
   });
   t.is(passStyleOf(farObj3), 'remotable');
@@ -387,7 +387,7 @@ test('remotables - safety from the gibson042 attack', t => {
     },
   );
 
-  const makeInput = () => Object.freeze({ __proto__: mercurialProto });
+  const makeInput = () => suppressTrapping({ __proto__: mercurialProto });
   const input1 = makeInput();
   const input2 = makeInput();
 

packages/ses/package.json

@@ -85,7 +85,8 @@
     "postpack": "git clean -f '*.d.ts*' '*.tsbuildinfo'"
   },
   "dependencies": {
-    "@endo/env-options": "workspace:^"
+    "@endo/env-options": "workspace:^",
+    "@endo/no-trapping-shim": "^0.1.0"
   },
   "devDependencies": {
     "@endo/compartment-mapper": "workspace:^",

packages/ses/src/commons.js

@@ -14,6 +14,8 @@
 /* global globalThis */
 /* eslint-disable no-restricted-globals */
 
+import '@endo/no-trapping-shim/shim.js';
+
 // We cannot use globalThis as the local name since it would capture the
 // lexical name.
 const universalThis = globalThis;
@@ -75,6 +77,11 @@ export const {
   setPrototypeOf,
   values,
   fromEntries,
+  // https://github.com/endojs/endo/pull/2673
+  // @ts-expect-error TS does not yet have this on ObjectConstructor.
+  isNoTrapping,
+  // @ts-expect-error TS does not yet have this on ObjectConstructor.
+  suppressTrapping,
 } = Object;
 
 export const {
@@ -125,6 +132,11 @@ export const {
   ownKeys,
   preventExtensions: reflectPreventExtensions,
   set: reflectSet,
+  // https://github.com/endojs/endo/pull/2673
+  // @ts-expect-error TS does not yet have this on typeof Reflect.
+  isNoTrapping: reflectIsNoTrapping,
+  // @ts-expect-error TS does not yet have this on typeof Reflect.
+  suppressTrapping: reflectSuppressTrapping,
 } = Reflect;
 
 export const { isArray, prototype: arrayPrototype } = Array;
@@ -273,7 +285,7 @@ export const getConstructorOf = fn =>
  * immutableObject
  * An immutable (frozen) empty object that is safe to share.
  */
-export const immutableObject = freeze(create(null));
+export const immutableObject = suppressTrapping(create(null));
 
 /**
  * isObject tests whether a value is an object.

packages/ses/src/make-hardener.js

@@ -30,7 +30,6 @@ import {
   apply,
   arrayForEach,
   defineProperty,
-  freeze,
   getOwnPropertyDescriptor,
   getOwnPropertyDescriptors,
   getPrototypeOf,
@@ -49,6 +48,8 @@ import {
   FERAL_STACK_GETTER,
   FERAL_STACK_SETTER,
   isError,
+  isFrozen,
+  suppressTrapping,
 } from './commons.js';
 import { assert } from './error/assert.js';
 
@@ -182,8 +183,17 @@ export const makeHardener = () => {
         // Also throws if the object is an ArrayBuffer or any TypedArray.
         if (isTypedArray(obj)) {
           freezeTypedArray(obj);
+          if (isFrozen(obj)) {
+            // After `freezeTypedArray`, the typed array might actually be
+            // frozen if
+            // - it has no indexed properties
+            // - it is backed by an Immutable ArrayBuffer as proposed.
+            // In either case, this makes it a candidate to be made
+            // non-trapping.
+            suppressTrapping(obj);
+          }
         } else {
-          freeze(obj);
+          suppressTrapping(obj);
         }
 
         // we rely upon certain commitments of Object.freeze and proxies here