Re: LibreJS can be bypassed with new Function()

bug-librejs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LibreJS can be bypassed with new Function()

From:	Yuchen Pei
Subject:	Re: LibreJS can be bypassed with new Function()
Date:	Sun, 10 Sep 2023 12:11:52 +1000
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)

On Sun 2023-09-10 10:27:34 +1000, Yuchen Pei wrote:

> On Sat 2023-09-09 19:24:15 +0100, Ron Nazarov wrote:

>> LibreJS does not consider JavaScript using new Function() non-trivial,
>> so you can bypass it with something similar to this:

>> new Function("<insert non-trivial JavaScript here>")()

>> A demo of this is available at https://361100.xyz/librejs-bypass.html

> Thanks for the report and the demo, I will take a look.

This patch should fix it (also attached inline at the end of this email):

https://git.savannah.gnu.org/cgit/librejs.git/commit/?id=e942bb98325d0a4fdb79cdc75782f065c0289d70

I will sleep on it for a few days, and if nothing new I'll make a new
release.

Meanwhile you can build the patched extension locally and load it as a
temporary addon at about:debugging#/runtime/this-firefox, or set
xpinstall.signatures.required to false if you are using developer
edition/esr and want it to persist across sessions, see also
<https://ypei.org/posts/2023-08-14-emacsify-firefox-init.html>.

> [... 8 lines elided]

From e942bb98325d0a4fdb79cdc75782f065c0289d70 Mon Sep 17 00:00:00 2001
From: Yuchen Pei <id@ypei.org>
Date: Sun, 10 Sep 2023 12:02:37 +1000
Subject: [PATCH] Fixing bypassing Function("...").

It is similar to eval(). See,
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function

As a prior art, another extension did the blank ban of Function():
https://addons.mozilla.org/en-US/firefox/addon/noeval-disable-eval/

So let's ban it as well.

Bug reported at
https://lists.gnu.org/archive/html/bug-librejs/2023-09/msg00000.html
---
 common/fname_data.json | 2 +-
 manifest.json          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/fname_data.json b/common/fname_data.json
index 5606007..38652d6 100644
--- a/common/fname_data.json
+++ b/common/fname_data.json
@@ -714,7 +714,7 @@
                "RadioNodeList": true,
                "KeyframeEffectReadOnly": true,
                "InstallTrigger": true,
-               "Function": false,
+               "Function": true,
                "Object": false,
                "eval": true,
                "Window": false,
diff --git a/manifest.json b/manifest.json
index 2a7a5f1..73bc918 100644
--- a/manifest.json
+++ b/manifest.json
@@ -2,7 +2,7 @@
   "manifest_version": 2,
   "name": "GNU LibreJS",
   "short_name": "LibreJS",
-  "version": "7.21.0",
+  "version": "7.21.1",
   "author": "various",
   "description": "Only allows free and/or trivial Javascript to run.",
   "applications": {
-- 
2.42.0

Best,
Yuchen

--
Timezone: UTC+10
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
          <https://ypei.org/assets/ypei-pubkey.txt>

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

LibreJS can be bypassed with new Function(), Ron Nazarov, 2023/09/09
- Re: LibreJS can be bypassed with new Function(), Yuchen Pei, 2023/09/09
  - Re: LibreJS can be bypassed with new Function(), Yuchen Pei <=

Prev by Date: Re: LibreJS can be bypassed with new Function()
Next by Date: LibreJS 7.21.1
Previous by thread: Re: LibreJS can be bypassed with new Function()
Next by thread: LibreJS 7.21.1
Index(es):
- Date
- Thread