526互联

[Javascript] Prevent JavaScript Object Tampering with the SES Library harden Function

发布时间 2023-11-08 03:35:54作者: Zhentiw

https://www.npmjs.com/package/ses

Lockdown

The lockdown() function also tames some objects including regular expressions, locale methods, and errors. A tamed RegExp does not have the deprecated compile method. A tamed error does not have a V8 stack, but the console can still see the stack. Lockdown replaces locale methods like String.prototype.localeCompare with generic versions that do not reveal the host locale.

import 'ses';

lockdown();

console.log(Object.isFrozen([].__proto__));
// true

 

Harden

SES introduces the harden function. After calling lockdown, the harden function ensures that every object in the transitive closure over property and prototype access starting with that object has been frozen by Object.freeze. This means that the object can be passed among programs and none of those programs will be able to tamper with the surface of that object graph. They can only read the surface data and call the surface functions.

problem code:

const makeCounter = () => {
  let count = 0;
  return {
    count,
    incr() {
      this.count += 1
      return this.count;
      },
    decr() {
      this.count -= 1
      return this.count;
      },
  };
};

const myCounter = makeCounter();
myCounter.incr();
myCounter.incr();
myCounter.count = 'hehehehe';
myCounter.incr();
myCounter.decr();
console.log(myCounter); // { count: NaN, incr: {}, decr: {} }

 

Or mutate the function prop:

const myCounter = makeCounter();
myCounter.incr();
myCounter.incr();
myCounter.incr();
myCounter.incr = () => {
  console.log('I have hijacked your increment. There is nothing you can do.');
};
myCounter.decr();
const lastValue = myCounter.incr();
console.log({lastValue}); // { lasValue: undefined }

 

Solution:

import 'ses';

lockdown();

const makeCounter = () => {
  let count = 0;
  return harden({
    incr() {
      this.count += 1
      return this.count;
      },
    decr() {
      this.count -= 1
      return this.count;
      },
  });
};