Closed Bug 1550485 Opened 6 years ago Closed 5 years ago

Usage of `new Function()` in third-party library redux.js

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla70

Tracking Flags:

Tracking

Status

firefox70

---

fixed

People

(Reporter: jallmann, Assigned: jdescottes)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

Bug 1550485 - Remove usage of new Function in redux.js 5 years ago Julian Descottes [:jdescottes] (deleted), text/x-phabricator-request		Details
Bug 1550485 - Remove redux.js from nsContentSecurityManager whitlelist 5 years ago Julian Descottes [:jdescottes] (deleted), text/x-phabricator-request		Details

Jonas Allmann [:jallmann]

Reporter

Description

•

6 years ago

All eval()-like functions (eval(), new Function(), setTimeout("")) are being removed from code running with system privileges, see Bug 1473549. An assertion is active to enforce this.

There are two occurences of new Function() in redux.js that require the file to be whitelisted for this assertion. In order to clear redux.js from the whitelist, new Function() needs to be removed or refactored. In both cases, new Function()is used to get the global object. This can poissibly be avoided by just removing the code like it was done in reudx.jsm, see Bug 1486375.

Get global object:
https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/redux.js#18

Get global object:
https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/redux.js#242

Jonas Allmann [:jallmann]

Reporter

Updated

•

6 years ago

Summary: Usage of `eval()` in third-party library redux.js → Usage of `new Function()` in third-party library redux.js

Julian Descottes [:jdescottes]

Assignee

Updated

•

5 years ago

Assignee: nobody → jdescottes

Status: NEW → ASSIGNED

Julian Descottes [:jdescottes]

Assignee

Comment 1

•

5 years ago

Attached file Bug 1550485 - Remove usage of new Function in redux.js (deleted) — Details

Depends on D38513

Julian Descottes [:jdescottes]

Assignee

Comment 2

•

5 years ago

Attached file Bug 1550485 - Remove redux.js from nsContentSecurityManager whitlelist (deleted) — Details

Depends on D38514

Pulsebot

Comment 3

•

5 years ago

Pushed by jdescottes@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dbe62a4f2b41 Remove usage of new Function in redux.js r=nchevobbe https://hg.mozilla.org/integration/autoland/rev/c48fcf3a6532 Remove redux.js from nsContentSecurityManager whitlelist r=ckerschb

Daniel Varga [:dvarga]

Comment 4

•

5 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/dbe62a4f2b41
https://hg.mozilla.org/mozilla-central/rev/c48fcf3a6532

Status: ASSIGNED → RESOLVED

Closed: 5 years ago

status-firefox70: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla70

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Usage of `new Function()` in third-party library redux.js

Categories

(Core :: DOM: Security, enhancement, P3)

Tracking

()

People

(Reporter: jallmann, Assigned: jdescottes)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Attachment

General

Description

File Name

Content Type