From d60a796ab0eb6897ca312fa4e3741f49195b8551 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 27 Aug 2020 16:20:51 -0700 Subject: [PATCH 01/15] refactor(ses): Layer Compartment prototype --- packages/ses/src/compartment-shim.js | 31 ++++++++++++++++---- packages/ses/src/get-anonymous-intrinsics.js | 7 ++++- packages/ses/src/inert.js | 8 +++++ packages/ses/src/whitelist.js | 15 ++++++++++ 4 files changed, 54 insertions(+), 7 deletions(-) diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index 278cbfbd40..f10c610175 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -6,10 +6,12 @@ import babel from '@agoric/babel-standalone'; import { makeModuleAnalyzer } from '@agoric/transform-module'; import { assign, + create, defineProperties, entries, freeze, getOwnPropertyNames, + getOwnPropertyDescriptors, keys, } from './commons.js'; import { initGlobalObject } from './global-object.js'; @@ -21,7 +23,11 @@ import { isValidIdentifierName } from './scope-constants.js'; import { sharedGlobalPropertyNames } from './whitelist.js'; import { getGlobalIntrinsics } from './intrinsics.js'; import { tameFunctionToString } from './tame-function-tostring.js'; -import { InertCompartment, InertStaticModuleRecord } from './inert.js'; +import { + InertCompartment, + InertModularCompartment, + InertStaticModuleRecord, +} from './inert.js'; // q, for quoting strings. const q = JSON.stringify; @@ -133,6 +139,14 @@ const CompartmentPrototype = { }); }, + toString() { + return '[object Compartment]'; + }, +}; + +const ModularCompartmentPrototypeExtension = { + constructor: InertModularCompartment, + module(specifier) { if (typeof specifier !== 'string') { throw new TypeError('first argument of module() must be a string'); @@ -190,16 +204,21 @@ const CompartmentPrototype = { moduleInstance.execute(); return moduleInstance.exportsProxy; }, - - toString() { - return '[object Compartment]'; - }, }; +const ModularCompartmentPrototype = create(Object.prototype, { + ...getOwnPropertyDescriptors(CompartmentPrototype), + ...getOwnPropertyDescriptors(ModularCompartmentPrototypeExtension), +}); + defineProperties(InertCompartment, { prototype: { value: CompartmentPrototype }, }); +defineProperties(InertModularCompartment, { + prototype: { value: ModularCompartmentPrototype }, +}); + export const makeCompartmentConstructor = (intrinsics, nativeBrander) => { /** * Compartment() @@ -293,7 +312,7 @@ export const makeCompartmentConstructor = (intrinsics, nativeBrander) => { } defineProperties(Compartment, { - prototype: { value: CompartmentPrototype }, + prototype: { value: ModularCompartmentPrototype }, }); return Compartment; diff --git a/packages/ses/src/get-anonymous-intrinsics.js b/packages/ses/src/get-anonymous-intrinsics.js index ae1c56587c..7716fd6f0b 100644 --- a/packages/ses/src/get-anonymous-intrinsics.js +++ b/packages/ses/src/get-anonymous-intrinsics.js @@ -1,5 +1,9 @@ import { getOwnPropertyDescriptor, getPrototypeOf } from './commons.js'; -import { InertCompartment, InertStaticModuleRecord } from './inert.js'; +import { + InertCompartment, + InertModularCompartment, + InertStaticModuleRecord, +} from './inert.js'; /** * Object.getConstructorOf() @@ -108,6 +112,7 @@ export function getAnonymousIntrinsics() { '%ThrowTypeError%': ThrowTypeError, '%TypedArray%': TypedArray, '%InertCompartment%': InertCompartment, + '%InertModularCompartment%': InertModularCompartment, '%InertStaticModuleRecord%': InertStaticModuleRecord, }; diff --git a/packages/ses/src/inert.js b/packages/ses/src/inert.js index 24067a5d0c..d4a00ad15c 100644 --- a/packages/ses/src/inert.js +++ b/packages/ses/src/inert.js @@ -6,6 +6,14 @@ export const InertCompartment = function Compartment( throw new TypeError('Not available'); }; +export const InertModularCompartment = function Compartment( + _endowments = {}, + _modules = {}, + _options = {}, +) { + throw new TypeError('Not available'); +}; + // It is not clear that // `StaticModuleRecord.prototype.constructor` needs to be the // useless `InertStaticModuleRecord` rather than diff --git a/packages/ses/src/whitelist.js b/packages/ses/src/whitelist.js index bc1ada4900..ec38913ad7 100644 --- a/packages/ses/src/whitelist.js +++ b/packages/ses/src/whitelist.js @@ -1789,11 +1789,26 @@ export const whitelist = { toString: fn, }, + '%InertModularCompartment%': { + '[[Proto]]': '%FunctionPrototype%', + prototype: '%ModularCompartmentPrototype%', + toString: fn, + }, + '%CompartmentPrototype%': { constructor: '%InertCompartment%', evaluate: fn, globalThis: getter, name: getter, + // Should this be proposed? + toString: fn, + }, + + '%ModularCompartmentPrototype%': { + constructor: '%InertModularCompartment%', + evaluate: fn, + globalThis: getter, + name: getter, import: asyncFn, load: asyncFn, importNow: fn, From b5a1fad4e8ca41fe0c0510957e3ad682b90a4c93 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 27 Aug 2020 16:54:00 -0700 Subject: [PATCH 02/15] refactor(ses): Parameterize compartment prototype --- packages/ses/ses.js | 3 ++- packages/ses/src/compartment-shim.js | 10 ++++++---- packages/ses/src/global-object.js | 3 ++- packages/ses/src/lockdown-shim.js | 6 ++++-- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/packages/ses/ses.js b/packages/ses/ses.js index 62efe55c75..cab1ac6f5f 100644 --- a/packages/ses/ses.js +++ b/packages/ses/ses.js @@ -19,12 +19,13 @@ import { assign } from './src/commons.js'; import { makeLockdown } from './src/lockdown-shim.js'; import { makeCompartmentConstructor, + ModularCompartmentPrototype, Compartment, StaticModuleRecord, } from './src/compartment-shim.js'; assign(globalThis, { - lockdown: makeLockdown(makeCompartmentConstructor), + lockdown: makeLockdown(makeCompartmentConstructor, ModularCompartmentPrototype), Compartment, StaticModuleRecord, }); diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index f10c610175..2b916c3df3 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -98,7 +98,7 @@ const assertModuleHooks = compartment => { } }; -const CompartmentPrototype = { +export const CompartmentPrototype = { constructor: InertCompartment, get globalThis() { @@ -206,7 +206,7 @@ const ModularCompartmentPrototypeExtension = { }, }; -const ModularCompartmentPrototype = create(Object.prototype, { +export const ModularCompartmentPrototype = create(Object.prototype, { ...getOwnPropertyDescriptors(CompartmentPrototype), ...getOwnPropertyDescriptors(ModularCompartmentPrototypeExtension), }); @@ -219,7 +219,7 @@ defineProperties(InertModularCompartment, { prototype: { value: ModularCompartmentPrototype }, }); -export const makeCompartmentConstructor = (intrinsics, nativeBrander) => { +export const makeCompartmentConstructor = (compartmentPrototype, intrinsics, nativeBrander) => { /** * Compartment() * Each Compartment constructor is a global. A host that wants to execute @@ -242,6 +242,7 @@ export const makeCompartmentConstructor = (intrinsics, nativeBrander) => { globalTransforms, nativeBrander, makeCompartmentConstructor, + compartmentPrototype }); assign(globalObject, endowments); @@ -312,7 +313,7 @@ export const makeCompartmentConstructor = (intrinsics, nativeBrander) => { } defineProperties(Compartment, { - prototype: { value: ModularCompartmentPrototype }, + prototype: { value: compartmentPrototype }, }); return Compartment; @@ -323,6 +324,7 @@ export const makeCompartmentConstructor = (intrinsics, nativeBrander) => { const nativeBrander = tameFunctionToString(); export const Compartment = makeCompartmentConstructor( + ModularCompartmentPrototype, getGlobalIntrinsics(globalThis), nativeBrander, ); diff --git a/packages/ses/src/global-object.js b/packages/ses/src/global-object.js index 071adc772d..af0efb6417 100644 --- a/packages/ses/src/global-object.js +++ b/packages/ses/src/global-object.js @@ -14,7 +14,7 @@ export function initGlobalObject( globalObject, intrinsics, newGlobalPropertyNames, - { globalTransforms, nativeBrander, makeCompartmentConstructor }, + { globalTransforms, nativeBrander, makeCompartmentConstructor, compartmentPrototype }, ) { for (const [name, constant] of entries(constantProperties)) { defineProperty(globalObject, name, { @@ -59,6 +59,7 @@ export function initGlobalObject( if (makeCompartmentConstructor) { perCompartmentGlobals.Compartment = makeCompartmentConstructor( + compartmentPrototype, intrinsics, nativeBrander, ); diff --git a/packages/ses/src/lockdown-shim.js b/packages/ses/src/lockdown-shim.js index 1542c3d74c..0d0c424b8d 100644 --- a/packages/ses/src/lockdown-shim.js +++ b/packages/ses/src/lockdown-shim.js @@ -49,7 +49,7 @@ export const harden = ref => { const alreadyHardenedIntrinsics = () => false; -export function repairIntrinsics(makeCompartmentConstructor, options = {}) { +export function repairIntrinsics(makeCompartmentConstructor, compartmentPrototype, options = {}) { // First time, absent options default to 'safe'. // Subsequent times, absent options default to first options. // Thus, all present options must agree with first options. @@ -135,6 +135,7 @@ export function repairIntrinsics(makeCompartmentConstructor, options = {}) { initGlobalObject(globalThis, intrinsics, initialGlobalPropertyNames, { nativeBrander, makeCompartmentConstructor, + compartmentPrototype }); /** @@ -163,10 +164,11 @@ export function repairIntrinsics(makeCompartmentConstructor, options = {}) { return hardenIntrinsics; } -export const makeLockdown = (makeCompartmentConstructor = undefined) => { +export const makeLockdown = (makeCompartmentConstructor = undefined, compartmentPrototype = undefined) => { const lockdown = (options = {}) => { const maybeHardenIntrinsics = repairIntrinsics( makeCompartmentConstructor, + compartmentPrototype, options, ); return maybeHardenIntrinsics(); From d82c041d9e1fa231009f2a6b7951543f1f05bd1e Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 27 Aug 2020 17:10:31 -0700 Subject: [PATCH 03/15] refactor(ses): Create ses/compartment entry --- packages/ses/compartment.js | 31 ++ packages/ses/lockdown.js | 14 + packages/ses/package.json | 5 + packages/ses/rollup.config.js | 30 ++ packages/ses/ses.js | 6 +- packages/ses/src/compartment-shim.js | 330 ------------------ packages/ses/src/module-shim.js | 329 +++++++++++++++++ packages/ses/test/break-function-eval.test.js | 2 +- .../ses/test/compartment-instance.test.js | 2 +- .../ses/test/compartment-prototype.test.js | 2 +- packages/ses/test/confinement.test.js | 2 +- .../ses/test/global-object-mutability.test.js | 2 +- .../ses/test/global-object-properties.test.js | 2 +- packages/ses/test/identity-continuity.test.js | 2 +- packages/ses/test/import-commons.js | 2 +- packages/ses/test/import-gauntlet.test.js | 2 +- packages/ses/test/import-stack-traces.test.js | 2 +- packages/ses/test/import.test.js | 2 +- packages/ses/test/reject-direct-eval.test.js | 2 +- packages/ses/test/reject-html-comment.test.js | 2 +- .../ses/test/reject-import-expression.test.js | 2 +- .../test/static-module-record-unit.test.js | 2 +- packages/ses/test/typeof.test.js | 2 +- packages/ses/test262/compartment-shim.js | 2 +- 24 files changed, 428 insertions(+), 351 deletions(-) create mode 100644 packages/ses/compartment.js create mode 100644 packages/ses/src/module-shim.js diff --git a/packages/ses/compartment.js b/packages/ses/compartment.js new file mode 100644 index 0000000000..0d724dc819 --- /dev/null +++ b/packages/ses/compartment.js @@ -0,0 +1,31 @@ +// Copyright (C) 2018 Agoric +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Importing the lower-layer "./lockdown.js" ensures that we run later and +// replace its global lockdown if an application elects to import both. +import './lockdown.js'; +import { assign } from './src/commons.js'; +import { makeLockdown } from './src/lockdown-shim.js'; +import { + makeCompartmentConstructor, + CompartmentPrototype, + Compartment, + StaticModuleRecord, +} from './src/module-shim.js'; // TODO compartment-shim.js + +assign(globalThis, { + lockdown: makeLockdown(makeCompartmentConstructor, CompartmentPrototype), + Compartment, + StaticModuleRecord, +}); diff --git a/packages/ses/lockdown.js b/packages/ses/lockdown.js index c1b8e9bc84..6702837acc 100644 --- a/packages/ses/lockdown.js +++ b/packages/ses/lockdown.js @@ -1,3 +1,17 @@ +// Copyright (C) 2018 Agoric +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + import { assign } from './src/commons.js'; import { makeLockdown, harden } from './src/lockdown-shim.js'; diff --git a/packages/ses/package.json b/packages/ses/package.json index 6ecc3bdb25..bce2bcd037 100644 --- a/packages/ses/package.json +++ b/packages/ses/package.json @@ -17,6 +17,11 @@ "require": "./dist/ses.cjs", "browser": "./dist/ses.umd.js" }, + "./compartment": { + "import": "./compartment.js", + "require": "./dist/compartment.cjs", + "browser": "./dist/compartment.umd.js" + }, "./lockdown": { "import": "./lockdown.js", "require": "./dist/lockdown.cjs", diff --git a/packages/ses/rollup.config.js b/packages/ses/rollup.config.js index 30772e9fad..a060934ed2 100644 --- a/packages/ses/rollup.config.js +++ b/packages/ses/rollup.config.js @@ -17,6 +17,16 @@ export default [ ], plugins: [resolve(), commonjs()], }, + { + input: 'compartment.js', + output: [ + { + file: `dist/compartment.cjs`, + format: 'cjs', + }, + ], + plugins: [resolve(), commonjs()], + }, { input: 'lockdown.js', output: [ @@ -27,6 +37,7 @@ export default [ ], plugins: [resolve(), commonjs()], }, + { input: 'ses.js', output: { @@ -45,6 +56,16 @@ export default [ }, plugins: [resolve(), commonjs()], }, + { + input: 'compartment.js', + output: { + file: `dist/compartment.umd.js`, + format: 'umd', + name: 'SES', + }, + plugins: [resolve(), commonjs()], + }, + { input: 'ses.js', output: { @@ -54,6 +75,15 @@ export default [ }, plugins: [resolve(), commonjs(), terser()], }, + { + input: 'compartment.js', + output: { + file: `dist/compartment.umd.min.js`, + format: 'umd', + name: 'SES', + }, + plugins: [resolve(), commonjs(), terser()], + }, { input: 'lockdown.js', output: { diff --git a/packages/ses/ses.js b/packages/ses/ses.js index cab1ac6f5f..78865d4ecc 100644 --- a/packages/ses/ses.js +++ b/packages/ses/ses.js @@ -14,18 +14,16 @@ // Importing the lower-layer "./lockdown.js" ensures that we run later and // replace its global lockdown if an application elects to import both. -import './lockdown.js'; +import './compartment.js'; import { assign } from './src/commons.js'; import { makeLockdown } from './src/lockdown-shim.js'; import { makeCompartmentConstructor, ModularCompartmentPrototype, Compartment, - StaticModuleRecord, -} from './src/compartment-shim.js'; +} from './src/module-shim.js'; assign(globalThis, { lockdown: makeLockdown(makeCompartmentConstructor, ModularCompartmentPrototype), Compartment, - StaticModuleRecord, }); diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index 2b916c3df3..e69de29bb2 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -1,330 +0,0 @@ -// This module exports both Compartment and StaticModuleRecord because they -// communicate through the moduleAnalyses private side-table. -/* eslint max-classes-per-file: ["error", 2] */ - -import babel from '@agoric/babel-standalone'; -import { makeModuleAnalyzer } from '@agoric/transform-module'; -import { - assign, - create, - defineProperties, - entries, - freeze, - getOwnPropertyNames, - getOwnPropertyDescriptors, - keys, -} from './commons.js'; -import { initGlobalObject } from './global-object.js'; -import { performEval } from './evaluate.js'; -import { load } from './module-load.js'; -import { link } from './module-link.js'; -import { getDeferredExports } from './module-proxy.js'; -import { isValidIdentifierName } from './scope-constants.js'; -import { sharedGlobalPropertyNames } from './whitelist.js'; -import { getGlobalIntrinsics } from './intrinsics.js'; -import { tameFunctionToString } from './tame-function-tostring.js'; -import { - InertCompartment, - InertModularCompartment, - InertStaticModuleRecord, -} from './inert.js'; - -// q, for quoting strings. -const q = JSON.stringify; - -const analyzeModule = makeModuleAnalyzer(babel); - -// moduleAnalyses are the private data of a StaticModuleRecord. -// We use moduleAnalyses in the loader/linker to look up -// the analysis corresponding to any StaticModuleRecord constructed by an -// importHook. -const moduleAnalyses = new WeakMap(); - -/** - * StaticModuleRecord captures the effort of parsing and analyzing module text - * so a cache of StaticModuleRecords may be shared by multiple Compartments. - */ -export function StaticModuleRecord(string, url) { - if (new.target === undefined) { - return new StaticModuleRecord(string, url); - } - - const analysis = analyzeModule({ string, url }); - - this.imports = keys(analysis.imports).sort(); - - freeze(this); - freeze(this.imports); - - moduleAnalyses.set(this, analysis); -} - -const StaticModuleRecordPrototype = { - constructor: InertStaticModuleRecord, - toString() { - return '[object StaticModuleRecord]'; - }, -}; - -defineProperties(StaticModuleRecord, { - prototype: { value: StaticModuleRecordPrototype }, -}); - -defineProperties(InertStaticModuleRecord, { - prototype: { value: StaticModuleRecordPrototype }, -}); - -// privateFields captures the private state for each compartment. -const privateFields = new WeakMap(); - -// moduleAliases associates every public module exports namespace with its -// corresponding compartment and specifier so they can be used to link modules -// across compartments. -// The mechanism to thread an alias is to use the compartment.module function -// to obtain the exports namespace of a foreign module and pass it into another -// compartment's moduleMap constructor option. -const moduleAliases = new WeakMap(); - -// Compartments do not need an importHook or resolveHook to be useful -// as a vessel for evaluating programs. -// However, any method that operates the module system will throw an exception -// if these hooks are not available. -const assertModuleHooks = compartment => { - const { importHook, resolveHook } = privateFields.get(compartment); - if (typeof importHook !== 'function' || typeof resolveHook !== 'function') { - throw new TypeError( - `Compartment must be constructed with an importHook and a resolveHook for it to be able to load modules`, - ); - } -}; - -export const CompartmentPrototype = { - constructor: InertCompartment, - - get globalThis() { - return privateFields.get(this).globalObject; - }, - - get name() { - return privateFields.get(this).name; - }, - - /** - * @param {string} source is a JavaScript program grammar construction. - * @param {{ - * transforms: Array, - * sloppyGlobalsMode: bool, - * }} options. - */ - evaluate(source, options = {}) { - // Perform this check first to avoid unecessary sanitizing. - if (typeof source !== 'string') { - throw new TypeError('first argument of evaluate() must be a string'); - } - - // Extract options, and shallow-clone transforms. - const { transforms = [], sloppyGlobalsMode = false } = options; - const localTransforms = [...transforms]; - - const { - globalTransforms, - globalObject, - globalLexicals, - } = privateFields.get(this); - - return performEval(source, globalObject, globalLexicals, { - globalTransforms, - localTransforms, - sloppyGlobalsMode, - }); - }, - - toString() { - return '[object Compartment]'; - }, -}; - -const ModularCompartmentPrototypeExtension = { - constructor: InertModularCompartment, - - module(specifier) { - if (typeof specifier !== 'string') { - throw new TypeError('first argument of module() must be a string'); - } - - assertModuleHooks(this); - - const { exportsProxy } = getDeferredExports( - this, - privateFields.get(this), - moduleAliases, - specifier, - ); - - return exportsProxy; - }, - - async import(specifier) { - if (typeof specifier !== 'string') { - throw new TypeError('first argument of import() must be a string'); - } - - assertModuleHooks(this); - - return load(privateFields, moduleAliases, this, specifier).then(() => { - const namespace = this.importNow(specifier); - return { namespace }; - }); - }, - - async load(specifier) { - if (typeof specifier !== 'string') { - throw new TypeError('first argument of load() must be a string'); - } - - assertModuleHooks(this); - - return load(privateFields, moduleAliases, this, specifier); - }, - - importNow(specifier) { - if (typeof specifier !== 'string') { - throw new TypeError('first argument of importNow() must be a string'); - } - - assertModuleHooks(this); - - const moduleInstance = link( - privateFields, - moduleAnalyses, - moduleAliases, - this, - specifier, - ); - moduleInstance.execute(); - return moduleInstance.exportsProxy; - }, -}; - -export const ModularCompartmentPrototype = create(Object.prototype, { - ...getOwnPropertyDescriptors(CompartmentPrototype), - ...getOwnPropertyDescriptors(ModularCompartmentPrototypeExtension), -}); - -defineProperties(InertCompartment, { - prototype: { value: CompartmentPrototype }, -}); - -defineProperties(InertModularCompartment, { - prototype: { value: ModularCompartmentPrototype }, -}); - -export const makeCompartmentConstructor = (compartmentPrototype, intrinsics, nativeBrander) => { - /** - * Compartment() - * Each Compartment constructor is a global. A host that wants to execute - * code in a context bound to a new global creates a new compartment. - */ - function Compartment(endowments = {}, moduleMap = {}, options = {}) { - // Extract options, and shallow-clone transforms. - const { - name = '', - transforms = [], - globalLexicals = {}, - resolveHook, - importHook, - moduleMapHook, - } = options; - const globalTransforms = [...transforms]; - - const globalObject = {}; - initGlobalObject(globalObject, intrinsics, sharedGlobalPropertyNames, { - globalTransforms, - nativeBrander, - makeCompartmentConstructor, - compartmentPrototype - }); - - assign(globalObject, endowments); - - // Map - const moduleRecords = new Map(); - // Map - const instances = new Map(); - // Map - const deferredExports = new Map(); - - // Validate given moduleMap. - // The module map gets translated on-demand in module-load.js and the - // moduleMap can be invalid in ways that cannot be detected in the - // constructor, but these checks allow us to throw early for a better - // developer experience. - for (const [specifier, aliasNamespace] of entries(moduleMap)) { - if (typeof aliasNamespace === 'string') { - // TODO implement parent module record retrieval. - throw new TypeError( - `Cannot map module ${q(specifier)} to ${q( - aliasNamespace, - )} in parent compartment`, - ); - } else if (moduleAliases.get(aliasNamespace) === undefined) { - // TODO create and link a synthetic module instance from the given - // namespace object. - throw ReferenceError( - `Cannot map module ${q( - specifier, - )} because it has no known compartment in this realm`, - ); - } - } - - const invalidNames = getOwnPropertyNames(globalLexicals).filter( - identifier => !isValidIdentifierName(identifier), - ); - if (invalidNames.length) { - throw new Error( - `Cannot create compartment with invalid names for global lexicals: ${invalidNames.join( - ', ', - )}; these names would not be lexically mentionable`, - ); - } - - privateFields.set(this, { - name, - resolveHook, - importHook, - moduleMap, - moduleMapHook, - moduleRecords, - deferredExports, - instances, - globalTransforms, - globalObject, - // The caller continues to own the globalLexicals object they passed to - // the compartment constructor, but the compartment only respects the - // original values and they are constants in the scope of evaluated - // programs and executed modules. - // This shallow copy captures only the values of enumerable own - // properties, erasing accessors. - // The snapshot is frozen to ensure that the properties are immutable - // when transferred-by-property-descriptor onto local scope objects. - globalLexicals: freeze({ ...globalLexicals }), - }); - } - - defineProperties(Compartment, { - prototype: { value: compartmentPrototype }, - }); - - return Compartment; -}; - -// TODO wasteful to do it twice, once before lockdown and again during -// lockdown. The second is doubly indirect. We should at least flatten that. -const nativeBrander = tameFunctionToString(); - -export const Compartment = makeCompartmentConstructor( - ModularCompartmentPrototype, - getGlobalIntrinsics(globalThis), - nativeBrander, -); diff --git a/packages/ses/src/module-shim.js b/packages/ses/src/module-shim.js new file mode 100644 index 0000000000..8b4107cce4 --- /dev/null +++ b/packages/ses/src/module-shim.js @@ -0,0 +1,329 @@ +// This module exports both Compartment and StaticModuleRecord because they +// communicate through the moduleAnalyses private side-table. + +import babel from '@agoric/babel-standalone'; +import { makeModuleAnalyzer } from '@agoric/transform-module'; +import { + assign, + create, + defineProperties, + entries, + freeze, + getOwnPropertyNames, + getOwnPropertyDescriptors, + keys, +} from './commons.js'; +import { initGlobalObject } from './global-object.js'; +import { performEval } from './evaluate.js'; +import { load } from './module-load.js'; +import { link } from './module-link.js'; +import { getDeferredExports } from './module-proxy.js'; +import { isValidIdentifierName } from './scope-constants.js'; +import { sharedGlobalPropertyNames } from './whitelist.js'; +import { getGlobalIntrinsics } from './intrinsics.js'; +import { tameFunctionToString } from './tame-function-tostring.js'; +import { + InertCompartment, + InertModularCompartment, + InertStaticModuleRecord, +} from './inert.js'; + +// q, for quoting strings. +const q = JSON.stringify; + +const analyzeModule = makeModuleAnalyzer(babel); + +// moduleAnalyses are the private data of a StaticModuleRecord. +// We use moduleAnalyses in the loader/linker to look up +// the analysis corresponding to any StaticModuleRecord constructed by an +// importHook. +const moduleAnalyses = new WeakMap(); + +/** + * StaticModuleRecord captures the effort of parsing and analyzing module text + * so a cache of StaticModuleRecords may be shared by multiple Compartments. + */ +export function StaticModuleRecord(string, url) { + if (new.target === undefined) { + return new StaticModuleRecord(string, url); + } + + const analysis = analyzeModule({ string, url }); + + this.imports = keys(analysis.imports).sort(); + + freeze(this); + freeze(this.imports); + + moduleAnalyses.set(this, analysis); +} + +const StaticModuleRecordPrototype = { + constructor: InertStaticModuleRecord, + toString() { + return '[object StaticModuleRecord]'; + }, +}; + +defineProperties(StaticModuleRecord, { + prototype: { value: StaticModuleRecordPrototype }, +}); + +defineProperties(InertStaticModuleRecord, { + prototype: { value: StaticModuleRecordPrototype }, +}); + +// privateFields captures the private state for each compartment. +const privateFields = new WeakMap(); + +// moduleAliases associates every public module exports namespace with its +// corresponding compartment and specifier so they can be used to link modules +// across compartments. +// The mechanism to thread an alias is to use the compartment.module function +// to obtain the exports namespace of a foreign module and pass it into another +// compartment's moduleMap constructor option. +const moduleAliases = new WeakMap(); + +// Compartments do not need an importHook or resolveHook to be useful +// as a vessel for evaluating programs. +// However, any method that operates the module system will throw an exception +// if these hooks are not available. +const assertModuleHooks = compartment => { + const { importHook, resolveHook } = privateFields.get(compartment); + if (typeof importHook !== 'function' || typeof resolveHook !== 'function') { + throw new TypeError( + `Compartment must be constructed with an importHook and a resolveHook for it to be able to load modules`, + ); + } +}; + +export const CompartmentPrototype = { + constructor: InertCompartment, + + get globalThis() { + return privateFields.get(this).globalObject; + }, + + get name() { + return privateFields.get(this).name; + }, + + /** + * @param {string} source is a JavaScript program grammar construction. + * @param {{ + * transforms: Array, + * sloppyGlobalsMode: bool, + * }} options. + */ + evaluate(source, options = {}) { + // Perform this check first to avoid unecessary sanitizing. + if (typeof source !== 'string') { + throw new TypeError('first argument of evaluate() must be a string'); + } + + // Extract options, and shallow-clone transforms. + const { transforms = [], sloppyGlobalsMode = false } = options; + const localTransforms = [...transforms]; + + const { + globalTransforms, + globalObject, + globalLexicals, + } = privateFields.get(this); + + return performEval(source, globalObject, globalLexicals, { + globalTransforms, + localTransforms, + sloppyGlobalsMode, + }); + }, + + toString() { + return '[object Compartment]'; + }, +}; + +const ModularCompartmentPrototypeExtension = { + constructor: InertModularCompartment, + + module(specifier) { + if (typeof specifier !== 'string') { + throw new TypeError('first argument of module() must be a string'); + } + + assertModuleHooks(this); + + const { exportsProxy } = getDeferredExports( + this, + privateFields.get(this), + moduleAliases, + specifier, + ); + + return exportsProxy; + }, + + async import(specifier) { + if (typeof specifier !== 'string') { + throw new TypeError('first argument of import() must be a string'); + } + + assertModuleHooks(this); + + return load(privateFields, moduleAliases, this, specifier).then(() => { + const namespace = this.importNow(specifier); + return { namespace }; + }); + }, + + async load(specifier) { + if (typeof specifier !== 'string') { + throw new TypeError('first argument of load() must be a string'); + } + + assertModuleHooks(this); + + return load(privateFields, moduleAliases, this, specifier); + }, + + importNow(specifier) { + if (typeof specifier !== 'string') { + throw new TypeError('first argument of importNow() must be a string'); + } + + assertModuleHooks(this); + + const moduleInstance = link( + privateFields, + moduleAnalyses, + moduleAliases, + this, + specifier, + ); + moduleInstance.execute(); + return moduleInstance.exportsProxy; + }, +}; + +export const ModularCompartmentPrototype = create(Object.prototype, { + ...getOwnPropertyDescriptors(CompartmentPrototype), + ...getOwnPropertyDescriptors(ModularCompartmentPrototypeExtension), +}); + +defineProperties(InertCompartment, { + prototype: { value: CompartmentPrototype }, +}); + +defineProperties(InertModularCompartment, { + prototype: { value: ModularCompartmentPrototype }, +}); + +export const makeCompartmentConstructor = (compartmentPrototype, intrinsics, nativeBrander) => { + /** + * Compartment() + * Each Compartment constructor is a global. A host that wants to execute + * code in a context bound to a new global creates a new compartment. + */ + function Compartment(endowments = {}, moduleMap = {}, options = {}) { + // Extract options, and shallow-clone transforms. + const { + name = '', + transforms = [], + globalLexicals = {}, + resolveHook, + importHook, + moduleMapHook, + } = options; + const globalTransforms = [...transforms]; + + const globalObject = {}; + initGlobalObject(globalObject, intrinsics, sharedGlobalPropertyNames, { + globalTransforms, + nativeBrander, + makeCompartmentConstructor, + compartmentPrototype + }); + + assign(globalObject, endowments); + + // Map + const moduleRecords = new Map(); + // Map + const instances = new Map(); + // Map + const deferredExports = new Map(); + + // Validate given moduleMap. + // The module map gets translated on-demand in module-load.js and the + // moduleMap can be invalid in ways that cannot be detected in the + // constructor, but these checks allow us to throw early for a better + // developer experience. + for (const [specifier, aliasNamespace] of entries(moduleMap)) { + if (typeof aliasNamespace === 'string') { + // TODO implement parent module record retrieval. + throw new TypeError( + `Cannot map module ${q(specifier)} to ${q( + aliasNamespace, + )} in parent compartment`, + ); + } else if (moduleAliases.get(aliasNamespace) === undefined) { + // TODO create and link a synthetic module instance from the given + // namespace object. + throw ReferenceError( + `Cannot map module ${q( + specifier, + )} because it has no known compartment in this realm`, + ); + } + } + + const invalidNames = getOwnPropertyNames(globalLexicals).filter( + identifier => !isValidIdentifierName(identifier), + ); + if (invalidNames.length) { + throw new Error( + `Cannot create compartment with invalid names for global lexicals: ${invalidNames.join( + ', ', + )}; these names would not be lexically mentionable`, + ); + } + + privateFields.set(this, { + name, + resolveHook, + importHook, + moduleMap, + moduleMapHook, + moduleRecords, + deferredExports, + instances, + globalTransforms, + globalObject, + // The caller continues to own the globalLexicals object they passed to + // the compartment constructor, but the compartment only respects the + // original values and they are constants in the scope of evaluated + // programs and executed modules. + // This shallow copy captures only the values of enumerable own + // properties, erasing accessors. + // The snapshot is frozen to ensure that the properties are immutable + // when transferred-by-property-descriptor onto local scope objects. + globalLexicals: freeze({ ...globalLexicals }), + }); + } + + defineProperties(Compartment, { + prototype: { value: compartmentPrototype }, + }); + + return Compartment; +}; + +// TODO wasteful to do it twice, once before lockdown and again during +// lockdown. The second is doubly indirect. We should at least flatten that. +const nativeBrander = tameFunctionToString(); + +export const Compartment = makeCompartmentConstructor( + ModularCompartmentPrototype, + getGlobalIntrinsics(globalThis), + nativeBrander, +); diff --git a/packages/ses/test/break-function-eval.test.js b/packages/ses/test/break-function-eval.test.js index 21e6674e98..6c84658e4b 100644 --- a/packages/ses/test/break-function-eval.test.js +++ b/packages/ses/test/break-function-eval.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/compartment-instance.test.js b/packages/ses/test/compartment-instance.test.js index ec6f89a5a6..031e065b99 100644 --- a/packages/ses/test/compartment-instance.test.js +++ b/packages/ses/test/compartment-instance.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/compartment-prototype.test.js b/packages/ses/test/compartment-prototype.test.js index 7f5323c470..bef54aad89 100644 --- a/packages/ses/test/compartment-prototype.test.js +++ b/packages/ses/test/compartment-prototype.test.js @@ -1,5 +1,5 @@ import tap from 'tap'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; const { test } = tap; diff --git a/packages/ses/test/confinement.test.js b/packages/ses/test/confinement.test.js index df3c46f47a..31e2d0f592 100644 --- a/packages/ses/test/confinement.test.js +++ b/packages/ses/test/confinement.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/global-object-mutability.test.js b/packages/ses/test/global-object-mutability.test.js index 3e57a30546..84e6c1ed16 100644 --- a/packages/ses/test/global-object-mutability.test.js +++ b/packages/ses/test/global-object-mutability.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/global-object-properties.test.js b/packages/ses/test/global-object-properties.test.js index f654460501..f3d9ddb479 100644 --- a/packages/ses/test/global-object-properties.test.js +++ b/packages/ses/test/global-object-properties.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/identity-continuity.test.js b/packages/ses/test/identity-continuity.test.js index 86a41db97b..77e67d90dd 100644 --- a/packages/ses/test/identity-continuity.test.js +++ b/packages/ses/test/identity-continuity.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/import-commons.js b/packages/ses/test/import-commons.js index 0769ccda21..bedefabc09 100644 --- a/packages/ses/test/import-commons.js +++ b/packages/ses/test/import-commons.js @@ -1,4 +1,4 @@ -import { StaticModuleRecord } from '../src/compartment-shim.js'; +import { StaticModuleRecord } from '../src/module-shim.js'; // q, to quote strings in error messages. const q = JSON.stringify; diff --git a/packages/ses/test/import-gauntlet.test.js b/packages/ses/test/import-gauntlet.test.js index 0d1c0cc11f..6ec4eafedf 100644 --- a/packages/ses/test/import-gauntlet.test.js +++ b/packages/ses/test/import-gauntlet.test.js @@ -2,7 +2,7 @@ // modules using a single Compartment. import tap from 'tap'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import { resolveNode, makeNodeImporter } from './node.js'; const { test } = tap; diff --git a/packages/ses/test/import-stack-traces.test.js b/packages/ses/test/import-stack-traces.test.js index b95c54ef52..5aef636f07 100644 --- a/packages/ses/test/import-stack-traces.test.js +++ b/packages/ses/test/import-stack-traces.test.js @@ -1,5 +1,5 @@ import tap from 'tap'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import { resolveNode, makeNodeImporter } from './node.js'; const { test } = tap; diff --git a/packages/ses/test/import.test.js b/packages/ses/test/import.test.js index 06348a9a0a..b620181cc5 100644 --- a/packages/ses/test/import.test.js +++ b/packages/ses/test/import.test.js @@ -4,7 +4,7 @@ /* eslint max-lines: 0 */ import tap from 'tap'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import { resolveNode, makeNodeImporter } from './node.js'; import { makeImporter, makeStaticRetriever } from './import-commons.js'; diff --git a/packages/ses/test/reject-direct-eval.test.js b/packages/ses/test/reject-direct-eval.test.js index aae613f5e1..523728758e 100644 --- a/packages/ses/test/reject-direct-eval.test.js +++ b/packages/ses/test/reject-direct-eval.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/reject-html-comment.test.js b/packages/ses/test/reject-html-comment.test.js index da6adf3c0b..8a54041bd7 100644 --- a/packages/ses/test/reject-html-comment.test.js +++ b/packages/ses/test/reject-html-comment.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/reject-import-expression.test.js b/packages/ses/test/reject-import-expression.test.js index f9f8b52e1c..289b7878ab 100644 --- a/packages/ses/test/reject-import-expression.test.js +++ b/packages/ses/test/reject-import-expression.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/static-module-record-unit.test.js b/packages/ses/test/static-module-record-unit.test.js index 1184bd76e4..8c4383acba 100644 --- a/packages/ses/test/static-module-record-unit.test.js +++ b/packages/ses/test/static-module-record-unit.test.js @@ -1,5 +1,5 @@ import tap from 'tap'; -import { StaticModuleRecord } from '../src/compartment-shim.js'; +import { StaticModuleRecord } from '../src/module-shim.js'; const { test } = tap; diff --git a/packages/ses/test/typeof.test.js b/packages/ses/test/typeof.test.js index ec96528162..c43071c933 100644 --- a/packages/ses/test/typeof.test.js +++ b/packages/ses/test/typeof.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test262/compartment-shim.js b/packages/ses/test262/compartment-shim.js index 104b2d0c12..6417dec0ff 100644 --- a/packages/ses/test262/compartment-shim.js +++ b/packages/ses/test262/compartment-shim.js @@ -1,6 +1,6 @@ // eslint-disable-next-line import/no-extraneous-dependencies import test262Runner from '@agoric/test262-runner'; -import { Compartment } from '../src/compartment-shim.js'; +import { Compartment } from '../src/module-shim.js'; export default function patchFunctionConstructors() { /* eslint-disable no-proto */ From edb0e0f2610b793628ce5b47b495870f7506a6e1 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 27 Aug 2020 18:59:43 -0700 Subject: [PATCH 04/15] feat(ses): Add minimal Compartment to SES-lite lockdown layer --- packages/ses/NEWS.md | 6 + packages/ses/compartment.js | 31 --- packages/ses/lockdown.js | 13 +- packages/ses/rollup.config.js | 30 --- packages/ses/ses.js | 12 +- packages/ses/src/compartment-shim.js | 153 ++++++++++++ packages/ses/src/module-instance.js | 22 +- packages/ses/src/module-shim.js | 228 ++++++------------ packages/ses/test/break-function-eval.test.js | 2 +- .../ses/test/compartment-instance.test.js | 6 +- .../ses/test/compartment-prototype.test.js | 6 +- packages/ses/test/confinement.test.js | 2 +- .../ses/test/global-object-mutability.test.js | 2 +- .../ses/test/global-object-properties.test.js | 2 +- packages/ses/test/identity-continuity.test.js | 2 +- .../test/module-compartment-instance.test.js | 56 +++++ .../test/module-compartment-prototype.test.js | 30 +++ packages/ses/test/reject-direct-eval.test.js | 2 +- packages/ses/test/reject-html-comment.test.js | 2 +- .../ses/test/reject-import-expression.test.js | 2 +- packages/ses/test/typeof.test.js | 2 +- 21 files changed, 348 insertions(+), 263 deletions(-) delete mode 100644 packages/ses/compartment.js create mode 100644 packages/ses/test/module-compartment-instance.test.js create mode 100644 packages/ses/test/module-compartment-prototype.test.js diff --git a/packages/ses/NEWS.md b/packages/ses/NEWS.md index 1d8b7b1676..10ee8097b5 100644 --- a/packages/ses/NEWS.md +++ b/packages/ses/NEWS.md @@ -2,6 +2,12 @@ User-visible changes in SES: ## Next release +* The `ses/lockdown` module and Rollup bundles now include a minimal + implementation of `Compartment` that supports `evaluate` but not loading + modules. + This is sufficient for containment of JavaScript programs, including + modules that have been pre-compiled to programs out-of-band, without + entraining a full JavaScript parser framework. * Allows a compartment's `importHook` to return an "alias" if the returned static module record has a different specifier than requested. * Adds the `name` option to the `Compartment` constructor and `name` accessor diff --git a/packages/ses/compartment.js b/packages/ses/compartment.js deleted file mode 100644 index 0d724dc819..0000000000 --- a/packages/ses/compartment.js +++ /dev/null @@ -1,31 +0,0 @@ -// Copyright (C) 2018 Agoric -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Importing the lower-layer "./lockdown.js" ensures that we run later and -// replace its global lockdown if an application elects to import both. -import './lockdown.js'; -import { assign } from './src/commons.js'; -import { makeLockdown } from './src/lockdown-shim.js'; -import { - makeCompartmentConstructor, - CompartmentPrototype, - Compartment, - StaticModuleRecord, -} from './src/module-shim.js'; // TODO compartment-shim.js - -assign(globalThis, { - lockdown: makeLockdown(makeCompartmentConstructor, CompartmentPrototype), - Compartment, - StaticModuleRecord, -}); diff --git a/packages/ses/lockdown.js b/packages/ses/lockdown.js index 6702837acc..78ea7fc4e4 100644 --- a/packages/ses/lockdown.js +++ b/packages/ses/lockdown.js @@ -12,10 +12,17 @@ // See the License for the specific language governing permissions and // limitations under the License. +// Importing the lower-layer "./lockdown.js" ensures that we run later and +// replace its global lockdown if an application elects to import both. import { assign } from './src/commons.js'; -import { makeLockdown, harden } from './src/lockdown-shim.js'; +import { makeLockdown } from './src/lockdown-shim.js'; +import { + makeCompartmentConstructor, + CompartmentPrototype, + Compartment, +} from './src/compartment-shim.js'; assign(globalThis, { - harden, - lockdown: makeLockdown(), + lockdown: makeLockdown(makeCompartmentConstructor, CompartmentPrototype), + Compartment, }); diff --git a/packages/ses/rollup.config.js b/packages/ses/rollup.config.js index a060934ed2..30772e9fad 100644 --- a/packages/ses/rollup.config.js +++ b/packages/ses/rollup.config.js @@ -17,16 +17,6 @@ export default [ ], plugins: [resolve(), commonjs()], }, - { - input: 'compartment.js', - output: [ - { - file: `dist/compartment.cjs`, - format: 'cjs', - }, - ], - plugins: [resolve(), commonjs()], - }, { input: 'lockdown.js', output: [ @@ -37,7 +27,6 @@ export default [ ], plugins: [resolve(), commonjs()], }, - { input: 'ses.js', output: { @@ -56,16 +45,6 @@ export default [ }, plugins: [resolve(), commonjs()], }, - { - input: 'compartment.js', - output: { - file: `dist/compartment.umd.js`, - format: 'umd', - name: 'SES', - }, - plugins: [resolve(), commonjs()], - }, - { input: 'ses.js', output: { @@ -75,15 +54,6 @@ export default [ }, plugins: [resolve(), commonjs(), terser()], }, - { - input: 'compartment.js', - output: { - file: `dist/compartment.umd.min.js`, - format: 'umd', - name: 'SES', - }, - plugins: [resolve(), commonjs(), terser()], - }, { input: 'lockdown.js', output: { diff --git a/packages/ses/ses.js b/packages/ses/ses.js index 78865d4ecc..aa33310204 100644 --- a/packages/ses/ses.js +++ b/packages/ses/ses.js @@ -14,16 +14,20 @@ // Importing the lower-layer "./lockdown.js" ensures that we run later and // replace its global lockdown if an application elects to import both. -import './compartment.js'; +import './lockdown.js'; import { assign } from './src/commons.js'; import { makeLockdown } from './src/lockdown-shim.js'; import { makeCompartmentConstructor, - ModularCompartmentPrototype, +} from './src/compartment-shim.js'; +import { + CompartmentPrototype, Compartment, + StaticModuleRecord, } from './src/module-shim.js'; assign(globalThis, { - lockdown: makeLockdown(makeCompartmentConstructor, ModularCompartmentPrototype), - Compartment, + lockdown: makeLockdown(makeCompartmentConstructor, CompartmentPrototype), + Compartment: Compartment, + StaticModuleRecord, }); diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index e69de29bb2..c8188d6993 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -0,0 +1,153 @@ + +import { + assign, + create, + defineProperties, + freeze, + getOwnPropertyNames, + getOwnPropertyDescriptors, +} from './commons.js'; +import { initGlobalObject } from './global-object.js'; +import { performEval } from './evaluate.js'; +import { isValidIdentifierName } from './scope-constants.js'; +import { sharedGlobalPropertyNames } from './whitelist.js'; +import { getGlobalIntrinsics } from './intrinsics.js'; +import { tameFunctionToString } from './tame-function-tostring.js'; +import { + InertCompartment, +} from './inert.js'; + +// q, for quoting strings. +const q = JSON.stringify; + +// privateFields captures the private state for each compartment. +const privateFields = new WeakMap(); + +export const CompartmentPrototype = { + constructor: InertCompartment, + + get globalThis() { + return privateFields.get(this).globalObject; + }, + + get name() { + return privateFields.get(this).name; + }, + + /** + * @param {string} source is a JavaScript program grammar construction. + * @param {{ + * transforms: Array, + * sloppyGlobalsMode: bool, + * }} options. + */ + evaluate(source, options = {}) { + // Perform this check first to avoid unecessary sanitizing. + if (typeof source !== 'string') { + throw new TypeError('first argument of evaluate() must be a string'); + } + + // Extract options, and shallow-clone transforms. + const { + transforms = [], + localLexicals = undefined, + sloppyGlobalsMode = false + } = options; + const localTransforms = [...transforms]; + + const { + globalTransforms, + globalObject, + globalLexicals, + } = privateFields.get(this); + + let localObject = globalLexicals; + if (localLexicals !== undefined) { + localObject = create(null, getOwnPropertyDescriptors(globalLexicals)); + defineProperties(localObject, getOwnPropertyDescriptors(localLexicals)); + } + + return performEval(source, globalObject, localObject, { + globalTransforms, + localTransforms, + sloppyGlobalsMode, + }); + }, + + toString() { + return '[object Compartment]'; + }, +}; + +defineProperties(InertCompartment, { + prototype: { value: CompartmentPrototype }, +}); + +export const makeCompartmentConstructor = (compartmentPrototype, intrinsics, nativeBrander) => { + /** + * Compartment() + * Each Compartment constructor is a global. A host that wants to execute + * code in a context bound to a new global creates a new compartment. + */ + function Compartment(endowments = {}, _moduleMap = {}, options = {}) { + // Extract options, and shallow-clone transforms. + const { + name = '', + transforms = [], + globalLexicals = {}, + } = options; + const globalTransforms = [...transforms]; + + const globalObject = {}; + initGlobalObject(globalObject, intrinsics, sharedGlobalPropertyNames, { + globalTransforms, + nativeBrander, + makeCompartmentConstructor, + compartmentPrototype + }); + + assign(globalObject, endowments); + + const invalidNames = getOwnPropertyNames(globalLexicals).filter( + identifier => !isValidIdentifierName(identifier), + ); + if (invalidNames.length) { + throw new Error( + `Cannot create compartment with invalid names for global lexicals: ${invalidNames.join( + ', ', + )}; these names would not be lexically mentionable`, + ); + } + + privateFields.set(this, { + name, + globalTransforms, + globalObject, + // The caller continues to own the globalLexicals object they passed to + // the compartment constructor, but the compartment only respects the + // original values and they are constants in the scope of evaluated + // programs and executed modules. + // This shallow copy captures only the values of enumerable own + // properties, erasing accessors. + // The snapshot is frozen to ensure that the properties are immutable + // when transferred-by-property-descriptor onto local scope objects. + globalLexicals: freeze({ ...globalLexicals }), + }); + } + + defineProperties(Compartment, { + prototype: { value: compartmentPrototype }, + }); + + return Compartment; +}; + +// TODO wasteful to do it twice, once before lockdown and again during +// lockdown. The second is doubly indirect. We should at least flatten that. +const nativeBrander = tameFunctionToString(); + +export const Compartment = makeCompartmentConstructor( + CompartmentPrototype, + getGlobalIntrinsics(globalThis), + nativeBrander, +); diff --git a/packages/ses/src/module-instance.js b/packages/ses/src/module-instance.js index b5df02b49a..dc3a61c579 100644 --- a/packages/ses/src/module-instance.js +++ b/packages/ses/src/module-instance.js @@ -1,8 +1,6 @@ -import { performEval } from './evaluate.js'; import { getDeferredExports } from './module-proxy.js'; import { create, - getOwnPropertyDescriptors, entries, keys, freeze, @@ -37,8 +35,6 @@ export const makeModuleInstance = ( const compartmentFields = privateFields.get(compartment); - const { globalLexicals } = compartmentFields; - const { exportsProxy, proxiedExports, activate } = getDeferredExports( compartment, compartmentFields, @@ -52,8 +48,8 @@ export const makeModuleInstance = ( // {_localName_: accessor} proxy traps for globalLexicals and live bindings. // The globalLexicals object is frozen and the corresponding properties of - // localObject must be immutable, so we copy the descriptors. - const localObject = create(null, getOwnPropertyDescriptors(globalLexicals)); + // localLexicals must be immutable, so we copy the descriptors. + const localLexicals = create(null); // {_localName_: init(initValue) -> initValue} used by the // rewritten code to initialize exported fixed bindings. @@ -210,7 +206,7 @@ export const makeModuleInstance = ( localGetNotify[localName] = liveGetNotify; if (setProxyTrap) { - defineProperty(localObject, localName, { + defineProperty(localLexicals, localName, { get, set, enumerable: true, @@ -326,16 +322,10 @@ export const makeModuleInstance = ( activate(); } - let optFunctor = performEval( - functorSource, + let optFunctor = compartment.evaluate(functorSource, { globalObject, - localObject, // live bindings over global lexicals - { - localTransforms: [], - globalTransforms: [], - sloppyGlobalsMode: false, - }, - ); + localLexicals, // live bindings over global lexicals + }); let didThrow = false; let thrownError; function execute() { diff --git a/packages/ses/src/module-shim.js b/packages/ses/src/module-shim.js index 8b4107cce4..d5cd2c7cd6 100644 --- a/packages/ses/src/module-shim.js +++ b/packages/ses/src/module-shim.js @@ -4,29 +4,23 @@ import babel from '@agoric/babel-standalone'; import { makeModuleAnalyzer } from '@agoric/transform-module'; import { - assign, create, defineProperties, entries, freeze, - getOwnPropertyNames, getOwnPropertyDescriptors, keys, } from './commons.js'; -import { initGlobalObject } from './global-object.js'; -import { performEval } from './evaluate.js'; import { load } from './module-load.js'; import { link } from './module-link.js'; import { getDeferredExports } from './module-proxy.js'; -import { isValidIdentifierName } from './scope-constants.js'; -import { sharedGlobalPropertyNames } from './whitelist.js'; import { getGlobalIntrinsics } from './intrinsics.js'; import { tameFunctionToString } from './tame-function-tostring.js'; import { - InertCompartment, InertModularCompartment, InertStaticModuleRecord, } from './inert.js'; +import { CompartmentPrototype, makeCompartmentConstructor } from "./compartment-shim.js"; // q, for quoting strings. const q = JSON.stringify; @@ -73,9 +67,6 @@ defineProperties(InertStaticModuleRecord, { prototype: { value: StaticModuleRecordPrototype }, }); -// privateFields captures the private state for each compartment. -const privateFields = new WeakMap(); - // moduleAliases associates every public module exports namespace with its // corresponding compartment and specifier so they can be used to link modules // across compartments. @@ -84,6 +75,9 @@ const privateFields = new WeakMap(); // compartment's moduleMap constructor option. const moduleAliases = new WeakMap(); +// privateFields captures the private state for each compartment. +const privateFields = new WeakMap(); + // Compartments do not need an importHook or resolveHook to be useful // as a vessel for evaluating programs. // However, any method that operates the module system will throw an exception @@ -97,52 +91,6 @@ const assertModuleHooks = compartment => { } }; -export const CompartmentPrototype = { - constructor: InertCompartment, - - get globalThis() { - return privateFields.get(this).globalObject; - }, - - get name() { - return privateFields.get(this).name; - }, - - /** - * @param {string} source is a JavaScript program grammar construction. - * @param {{ - * transforms: Array, - * sloppyGlobalsMode: bool, - * }} options. - */ - evaluate(source, options = {}) { - // Perform this check first to avoid unecessary sanitizing. - if (typeof source !== 'string') { - throw new TypeError('first argument of evaluate() must be a string'); - } - - // Extract options, and shallow-clone transforms. - const { transforms = [], sloppyGlobalsMode = false } = options; - const localTransforms = [...transforms]; - - const { - globalTransforms, - globalObject, - globalLexicals, - } = privateFields.get(this); - - return performEval(source, globalObject, globalLexicals, { - globalTransforms, - localTransforms, - sloppyGlobalsMode, - }); - }, - - toString() { - return '[object Compartment]'; - }, -}; - const ModularCompartmentPrototypeExtension = { constructor: InertModularCompartment, @@ -205,125 +153,85 @@ const ModularCompartmentPrototypeExtension = { }, }; -export const ModularCompartmentPrototype = create(Object.prototype, { +const ModularCompartmentPrototype = create(Object.prototype, { ...getOwnPropertyDescriptors(CompartmentPrototype), ...getOwnPropertyDescriptors(ModularCompartmentPrototypeExtension), }); -defineProperties(InertCompartment, { - prototype: { value: CompartmentPrototype }, -}); - defineProperties(InertModularCompartment, { prototype: { value: ModularCompartmentPrototype }, }); -export const makeCompartmentConstructor = (compartmentPrototype, intrinsics, nativeBrander) => { - /** - * Compartment() - * Each Compartment constructor is a global. A host that wants to execute - * code in a context bound to a new global creates a new compartment. - */ - function Compartment(endowments = {}, moduleMap = {}, options = {}) { - // Extract options, and shallow-clone transforms. - const { - name = '', - transforms = [], - globalLexicals = {}, - resolveHook, - importHook, - moduleMapHook, - } = options; - const globalTransforms = [...transforms]; - - const globalObject = {}; - initGlobalObject(globalObject, intrinsics, sharedGlobalPropertyNames, { - globalTransforms, - nativeBrander, - makeCompartmentConstructor, - compartmentPrototype - }); +// TODO wasteful to do it twice, once before lockdown and again during +// lockdown. The second is doubly indirect. We should at least flatten that. +const nativeBrander = tameFunctionToString(); - assign(globalObject, endowments); - - // Map - const moduleRecords = new Map(); - // Map - const instances = new Map(); - // Map - const deferredExports = new Map(); - - // Validate given moduleMap. - // The module map gets translated on-demand in module-load.js and the - // moduleMap can be invalid in ways that cannot be detected in the - // constructor, but these checks allow us to throw early for a better - // developer experience. - for (const [specifier, aliasNamespace] of entries(moduleMap)) { - if (typeof aliasNamespace === 'string') { - // TODO implement parent module record retrieval. - throw new TypeError( - `Cannot map module ${q(specifier)} to ${q( - aliasNamespace, - )} in parent compartment`, - ); - } else if (moduleAliases.get(aliasNamespace) === undefined) { - // TODO create and link a synthetic module instance from the given - // namespace object. - throw ReferenceError( - `Cannot map module ${q( - specifier, - )} because it has no known compartment in this realm`, - ); - } - } +const SuperCompartment = makeCompartmentConstructor( + ModularCompartmentPrototype, + getGlobalIntrinsics(globalThis), + nativeBrander, +); - const invalidNames = getOwnPropertyNames(globalLexicals).filter( - identifier => !isValidIdentifierName(identifier), - ); - if (invalidNames.length) { - throw new Error( - `Cannot create compartment with invalid names for global lexicals: ${invalidNames.join( - ', ', - )}; these names would not be lexically mentionable`, +const ModularCompartment = function Compartment(endowments = {}, moduleMap = {}, options = {}) { + if (new.target === undefined) { + throw new TypeError(`TODO must constructor`); // TODO + } + + SuperCompartment.call(this, endowments, moduleMap, options); + + const { + resolveHook, + importHook, + moduleMapHook, + } = options; + + // Map + const moduleRecords = new Map(); + // Map + const instances = new Map(); + // Map + const deferredExports = new Map(); + + // Validate given moduleMap. + // The module map gets translated on-demand in module-load.js and the + // moduleMap can be invalid in ways that cannot be detected in the + // constructor, but these checks allow us to throw early for a better + // developer experience. + for (const [specifier, aliasNamespace] of entries(moduleMap)) { + if (typeof aliasNamespace === 'string') { + // TODO implement parent module record retrieval. + throw new TypeError( + `Cannot map module ${q(specifier)} to ${q( + aliasNamespace, + )} in parent compartment`, + ); + } else if (moduleAliases.get(aliasNamespace) === undefined) { + // TODO create and link a synthetic module instance from the given + // namespace object. + throw ReferenceError( + `Cannot map module ${q( + specifier, + )} because it has no known compartment in this realm`, ); } - - privateFields.set(this, { - name, - resolveHook, - importHook, - moduleMap, - moduleMapHook, - moduleRecords, - deferredExports, - instances, - globalTransforms, - globalObject, - // The caller continues to own the globalLexicals object they passed to - // the compartment constructor, but the compartment only respects the - // original values and they are constants in the scope of evaluated - // programs and executed modules. - // This shallow copy captures only the values of enumerable own - // properties, erasing accessors. - // The snapshot is frozen to ensure that the properties are immutable - // when transferred-by-property-descriptor onto local scope objects. - globalLexicals: freeze({ ...globalLexicals }), - }); } - defineProperties(Compartment, { - prototype: { value: compartmentPrototype }, + privateFields.set(this, { + resolveHook, + importHook, + moduleMap, + moduleMapHook, + moduleRecords, + deferredExports, + instances, }); - - return Compartment; }; -// TODO wasteful to do it twice, once before lockdown and again during -// lockdown. The second is doubly indirect. We should at least flatten that. -const nativeBrander = tameFunctionToString(); +defineProperties(ModularCompartment, { + prototype: { value: ModularCompartmentPrototype }, +}); -export const Compartment = makeCompartmentConstructor( - ModularCompartmentPrototype, - getGlobalIntrinsics(globalThis), - nativeBrander, -); +export { + ModularCompartment as Compartment, + ModularCompartmentPrototype as CompartmentPrototype +}; diff --git a/packages/ses/test/break-function-eval.test.js b/packages/ses/test/break-function-eval.test.js index 6c84658e4b..21e6674e98 100644 --- a/packages/ses/test/break-function-eval.test.js +++ b/packages/ses/test/break-function-eval.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/compartment-instance.test.js b/packages/ses/test/compartment-instance.test.js index 031e065b99..15754c5cdd 100644 --- a/packages/ses/test/compartment-instance.test.js +++ b/packages/ses/test/compartment-instance.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; @@ -41,10 +41,6 @@ test('Compartment instance', t => { [ 'constructor', 'evaluate', - 'import', - 'importNow', - 'load', - 'module', 'name', 'globalThis', 'toString', diff --git a/packages/ses/test/compartment-prototype.test.js b/packages/ses/test/compartment-prototype.test.js index bef54aad89..0c92ef5970 100644 --- a/packages/ses/test/compartment-prototype.test.js +++ b/packages/ses/test/compartment-prototype.test.js @@ -1,5 +1,5 @@ import tap from 'tap'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; const { test } = tap; @@ -17,10 +17,6 @@ test('Compartment prototype', t => { [ 'constructor', 'evaluate', - 'import', - 'importNow', - 'load', - 'module', 'name', 'globalThis', 'toString', diff --git a/packages/ses/test/confinement.test.js b/packages/ses/test/confinement.test.js index 31e2d0f592..df3c46f47a 100644 --- a/packages/ses/test/confinement.test.js +++ b/packages/ses/test/confinement.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/global-object-mutability.test.js b/packages/ses/test/global-object-mutability.test.js index 84e6c1ed16..3e57a30546 100644 --- a/packages/ses/test/global-object-mutability.test.js +++ b/packages/ses/test/global-object-mutability.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/global-object-properties.test.js b/packages/ses/test/global-object-properties.test.js index f3d9ddb479..f654460501 100644 --- a/packages/ses/test/global-object-properties.test.js +++ b/packages/ses/test/global-object-properties.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/identity-continuity.test.js b/packages/ses/test/identity-continuity.test.js index 77e67d90dd..86a41db97b 100644 --- a/packages/ses/test/identity-continuity.test.js +++ b/packages/ses/test/identity-continuity.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/module-compartment-instance.test.js b/packages/ses/test/module-compartment-instance.test.js new file mode 100644 index 0000000000..031e065b99 --- /dev/null +++ b/packages/ses/test/module-compartment-instance.test.js @@ -0,0 +1,56 @@ +import tap from 'tap'; +import sinon from 'sinon'; +import { Compartment } from '../src/module-shim.js'; +import stubFunctionConstructors from './stub-function-constructors.js'; + +const { test } = tap; + +test('Compartment instance', t => { + t.plan(9); + + // Mimic repairFunctions. + stubFunctionConstructors(sinon); + + const c = new Compartment(); + + t.equals(typeof c, 'object', 'typeof'); + t.ok(c instanceof Compartment, 'instanceof'); + t.notEquals( + c.constructor, + Compartment, + 'function Compartment() { [native code] }', + ); + + t.equals( + Object.getPrototypeOf(c), + Compartment.prototype, + 'Object.getPrototypeOf()', + ); + t.ok( + // eslint-disable-next-line no-prototype-builtins + Compartment.prototype.isPrototypeOf(c), + 'Compartment.prototype.isPrototypeOf()', + ); + + t.equals(c.toString(), '[object Compartment]', 'toString()'); + t.equals(c[Symbol.toStringTag], undefined, '"Symbol.toStringTag" property'); + + t.deepEqual(Reflect.ownKeys(c), [], 'static properties'); + t.deepEqual( + Reflect.ownKeys(Object.getPrototypeOf(c)).sort(), + [ + 'constructor', + 'evaluate', + 'import', + 'importNow', + 'load', + 'module', + 'name', + 'globalThis', + 'toString', + ].sort(), + 'prototype properties', + ); + + sinon.restore(); +}); diff --git a/packages/ses/test/module-compartment-prototype.test.js b/packages/ses/test/module-compartment-prototype.test.js new file mode 100644 index 0000000000..bef54aad89 --- /dev/null +++ b/packages/ses/test/module-compartment-prototype.test.js @@ -0,0 +1,30 @@ +import tap from 'tap'; +import { Compartment } from '../src/module-shim.js'; + +const { test } = tap; + +test('Compartment prototype', t => { + t.plan(2); + + t.notEquals( + Compartment.prototype.constructor, + Compartment, + 'The initial value of Compartment.prototype.constructor', + ); + + t.deepEqual( + Reflect.ownKeys(Compartment.prototype).sort(), + [ + 'constructor', + 'evaluate', + 'import', + 'importNow', + 'load', + 'module', + 'name', + 'globalThis', + 'toString', + ].sort(), + 'prototype properties', + ); +}); diff --git a/packages/ses/test/reject-direct-eval.test.js b/packages/ses/test/reject-direct-eval.test.js index 523728758e..aae613f5e1 100644 --- a/packages/ses/test/reject-direct-eval.test.js +++ b/packages/ses/test/reject-direct-eval.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/reject-html-comment.test.js b/packages/ses/test/reject-html-comment.test.js index 8a54041bd7..da6adf3c0b 100644 --- a/packages/ses/test/reject-html-comment.test.js +++ b/packages/ses/test/reject-html-comment.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/reject-import-expression.test.js b/packages/ses/test/reject-import-expression.test.js index 289b7878ab..f9f8b52e1c 100644 --- a/packages/ses/test/reject-import-expression.test.js +++ b/packages/ses/test/reject-import-expression.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; diff --git a/packages/ses/test/typeof.test.js b/packages/ses/test/typeof.test.js index c43071c933..ec96528162 100644 --- a/packages/ses/test/typeof.test.js +++ b/packages/ses/test/typeof.test.js @@ -1,6 +1,6 @@ import tap from 'tap'; import sinon from 'sinon'; -import { Compartment } from '../src/module-shim.js'; +import { Compartment } from '../src/compartment-shim.js'; import stubFunctionConstructors from './stub-function-constructors.js'; const { test } = tap; From 5f78b7b7d2347d014d2c946ddf6227b4aa4d20c5 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 27 Aug 2020 19:03:30 -0700 Subject: [PATCH 05/15] ses-lite Lint fixes --- packages/ses/ses.js | 6 ++--- packages/ses/src/compartment-shim.js | 18 +++++++-------- packages/ses/src/global-object.js | 7 +++++- packages/ses/src/lockdown-shim.js | 13 ++++++++--- packages/ses/src/module-instance.js | 8 +------ packages/ses/src/module-shim.js | 22 +++++++++---------- .../ses/test/compartment-instance.test.js | 8 +------ .../ses/test/compartment-prototype.test.js | 8 +------ 8 files changed, 40 insertions(+), 50 deletions(-) diff --git a/packages/ses/ses.js b/packages/ses/ses.js index aa33310204..358abd465a 100644 --- a/packages/ses/ses.js +++ b/packages/ses/ses.js @@ -17,9 +17,7 @@ import './lockdown.js'; import { assign } from './src/commons.js'; import { makeLockdown } from './src/lockdown-shim.js'; -import { - makeCompartmentConstructor, -} from './src/compartment-shim.js'; +import { makeCompartmentConstructor } from './src/compartment-shim.js'; import { CompartmentPrototype, Compartment, @@ -28,6 +26,6 @@ import { assign(globalThis, { lockdown: makeLockdown(makeCompartmentConstructor, CompartmentPrototype), - Compartment: Compartment, + Compartment, StaticModuleRecord, }); diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index c8188d6993..d952d18ccd 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -1,4 +1,3 @@ - import { assign, create, @@ -13,12 +12,7 @@ import { isValidIdentifierName } from './scope-constants.js'; import { sharedGlobalPropertyNames } from './whitelist.js'; import { getGlobalIntrinsics } from './intrinsics.js'; import { tameFunctionToString } from './tame-function-tostring.js'; -import { - InertCompartment, -} from './inert.js'; - -// q, for quoting strings. -const q = JSON.stringify; +import { InertCompartment } from './inert.js'; // privateFields captures the private state for each compartment. const privateFields = new WeakMap(); @@ -51,7 +45,7 @@ export const CompartmentPrototype = { const { transforms = [], localLexicals = undefined, - sloppyGlobalsMode = false + sloppyGlobalsMode = false, } = options; const localTransforms = [...transforms]; @@ -83,7 +77,11 @@ defineProperties(InertCompartment, { prototype: { value: CompartmentPrototype }, }); -export const makeCompartmentConstructor = (compartmentPrototype, intrinsics, nativeBrander) => { +export const makeCompartmentConstructor = ( + compartmentPrototype, + intrinsics, + nativeBrander, +) => { /** * Compartment() * Each Compartment constructor is a global. A host that wants to execute @@ -103,7 +101,7 @@ export const makeCompartmentConstructor = (compartmentPrototype, intrinsics, nat globalTransforms, nativeBrander, makeCompartmentConstructor, - compartmentPrototype + compartmentPrototype, }); assign(globalObject, endowments); diff --git a/packages/ses/src/global-object.js b/packages/ses/src/global-object.js index af0efb6417..38ae618b2b 100644 --- a/packages/ses/src/global-object.js +++ b/packages/ses/src/global-object.js @@ -14,7 +14,12 @@ export function initGlobalObject( globalObject, intrinsics, newGlobalPropertyNames, - { globalTransforms, nativeBrander, makeCompartmentConstructor, compartmentPrototype }, + { + globalTransforms, + nativeBrander, + makeCompartmentConstructor, + compartmentPrototype, + }, ) { for (const [name, constant] of entries(constantProperties)) { defineProperty(globalObject, name, { diff --git a/packages/ses/src/lockdown-shim.js b/packages/ses/src/lockdown-shim.js index 0d0c424b8d..45039c7176 100644 --- a/packages/ses/src/lockdown-shim.js +++ b/packages/ses/src/lockdown-shim.js @@ -49,7 +49,11 @@ export const harden = ref => { const alreadyHardenedIntrinsics = () => false; -export function repairIntrinsics(makeCompartmentConstructor, compartmentPrototype, options = {}) { +export function repairIntrinsics( + makeCompartmentConstructor, + compartmentPrototype, + options = {}, +) { // First time, absent options default to 'safe'. // Subsequent times, absent options default to first options. // Thus, all present options must agree with first options. @@ -135,7 +139,7 @@ export function repairIntrinsics(makeCompartmentConstructor, compartmentPrototyp initGlobalObject(globalThis, intrinsics, initialGlobalPropertyNames, { nativeBrander, makeCompartmentConstructor, - compartmentPrototype + compartmentPrototype, }); /** @@ -164,7 +168,10 @@ export function repairIntrinsics(makeCompartmentConstructor, compartmentPrototyp return hardenIntrinsics; } -export const makeLockdown = (makeCompartmentConstructor = undefined, compartmentPrototype = undefined) => { +export const makeLockdown = ( + makeCompartmentConstructor = undefined, + compartmentPrototype = undefined, +) => { const lockdown = (options = {}) => { const maybeHardenIntrinsics = repairIntrinsics( makeCompartmentConstructor, diff --git a/packages/ses/src/module-instance.js b/packages/ses/src/module-instance.js index dc3a61c579..6545c73d14 100644 --- a/packages/ses/src/module-instance.js +++ b/packages/ses/src/module-instance.js @@ -1,11 +1,5 @@ import { getDeferredExports } from './module-proxy.js'; -import { - create, - entries, - keys, - freeze, - defineProperty, -} from './commons.js'; +import { create, entries, keys, freeze, defineProperty } from './commons.js'; // q, for enquoting strings in error messages. const q = JSON.stringify; diff --git a/packages/ses/src/module-shim.js b/packages/ses/src/module-shim.js index d5cd2c7cd6..9c5c501d6f 100644 --- a/packages/ses/src/module-shim.js +++ b/packages/ses/src/module-shim.js @@ -16,11 +16,11 @@ import { link } from './module-link.js'; import { getDeferredExports } from './module-proxy.js'; import { getGlobalIntrinsics } from './intrinsics.js'; import { tameFunctionToString } from './tame-function-tostring.js'; +import { InertModularCompartment, InertStaticModuleRecord } from './inert.js'; import { - InertModularCompartment, - InertStaticModuleRecord, -} from './inert.js'; -import { CompartmentPrototype, makeCompartmentConstructor } from "./compartment-shim.js"; + CompartmentPrototype, + makeCompartmentConstructor, +} from './compartment-shim.js'; // q, for quoting strings. const q = JSON.stringify; @@ -172,18 +172,18 @@ const SuperCompartment = makeCompartmentConstructor( nativeBrander, ); -const ModularCompartment = function Compartment(endowments = {}, moduleMap = {}, options = {}) { +const ModularCompartment = function Compartment( + endowments = {}, + moduleMap = {}, + options = {}, +) { if (new.target === undefined) { throw new TypeError(`TODO must constructor`); // TODO } SuperCompartment.call(this, endowments, moduleMap, options); - const { - resolveHook, - importHook, - moduleMapHook, - } = options; + const { resolveHook, importHook, moduleMapHook } = options; // Map const moduleRecords = new Map(); @@ -233,5 +233,5 @@ defineProperties(ModularCompartment, { export { ModularCompartment as Compartment, - ModularCompartmentPrototype as CompartmentPrototype + ModularCompartmentPrototype as CompartmentPrototype, }; diff --git a/packages/ses/test/compartment-instance.test.js b/packages/ses/test/compartment-instance.test.js index 15754c5cdd..84a4b76439 100644 --- a/packages/ses/test/compartment-instance.test.js +++ b/packages/ses/test/compartment-instance.test.js @@ -38,13 +38,7 @@ test('Compartment instance', t => { t.deepEqual(Reflect.ownKeys(c), [], 'static properties'); t.deepEqual( Reflect.ownKeys(Object.getPrototypeOf(c)).sort(), - [ - 'constructor', - 'evaluate', - 'name', - 'globalThis', - 'toString', - ].sort(), + ['constructor', 'evaluate', 'name', 'globalThis', 'toString'].sort(), 'prototype properties', ); diff --git a/packages/ses/test/compartment-prototype.test.js b/packages/ses/test/compartment-prototype.test.js index 0c92ef5970..d8f47c7c1a 100644 --- a/packages/ses/test/compartment-prototype.test.js +++ b/packages/ses/test/compartment-prototype.test.js @@ -14,13 +14,7 @@ test('Compartment prototype', t => { t.deepEqual( Reflect.ownKeys(Compartment.prototype).sort(), - [ - 'constructor', - 'evaluate', - 'name', - 'globalThis', - 'toString', - ].sort(), + ['constructor', 'evaluate', 'name', 'globalThis', 'toString'].sort(), 'prototype properties', ); }); From 1007dd9f563d9ef161ab54f9cd5bcede39bb937e Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 27 Aug 2020 19:03:58 -0700 Subject: [PATCH 06/15] Backtrack compartment.js entry point --- packages/ses/package.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/packages/ses/package.json b/packages/ses/package.json index bce2bcd037..6ecc3bdb25 100644 --- a/packages/ses/package.json +++ b/packages/ses/package.json @@ -17,11 +17,6 @@ "require": "./dist/ses.cjs", "browser": "./dist/ses.umd.js" }, - "./compartment": { - "import": "./compartment.js", - "require": "./dist/compartment.cjs", - "browser": "./dist/compartment.umd.js" - }, "./lockdown": { "import": "./lockdown.js", "require": "./dist/lockdown.cjs", From 7d4d842607aa0c09011ecbe1638f6fe7434be960 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 27 Aug 2020 20:50:26 -0700 Subject: [PATCH 07/15] Put harden back! --- packages/ses/lockdown.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/ses/lockdown.js b/packages/ses/lockdown.js index 78ea7fc4e4..386b48ee81 100644 --- a/packages/ses/lockdown.js +++ b/packages/ses/lockdown.js @@ -15,7 +15,7 @@ // Importing the lower-layer "./lockdown.js" ensures that we run later and // replace its global lockdown if an application elects to import both. import { assign } from './src/commons.js'; -import { makeLockdown } from './src/lockdown-shim.js'; +import { makeLockdown, harden } from './src/lockdown-shim.js'; import { makeCompartmentConstructor, CompartmentPrototype, @@ -23,6 +23,7 @@ import { } from './src/compartment-shim.js'; assign(globalThis, { + harden, lockdown: makeLockdown(makeCompartmentConstructor, CompartmentPrototype), Compartment, }); From 37f243a98f2770550ac95304dd89a9d482c68207 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Wed, 2 Sep 2020 17:23:30 -0700 Subject: [PATCH 08/15] lockdown args are no longer optional --- packages/ses/src/compartment-shim.js | 13 ++++++++---- packages/ses/src/global-object.js | 21 +++++++------------ packages/ses/src/lockdown-shim.js | 15 ++++++++----- packages/ses/test/global-object.test.js | 19 +++++++++++++---- .../ses/test/whitelist-intrinsics.test.js | 9 +++++++- 5 files changed, 50 insertions(+), 27 deletions(-) diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index d952d18ccd..08d3aac3f9 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -97,12 +97,17 @@ export const makeCompartmentConstructor = ( const globalTransforms = [...transforms]; const globalObject = {}; - initGlobalObject(globalObject, intrinsics, sharedGlobalPropertyNames, { - globalTransforms, - nativeBrander, + initGlobalObject( + globalObject, + intrinsics, + sharedGlobalPropertyNames, makeCompartmentConstructor, compartmentPrototype, - }); + { + globalTransforms, + nativeBrander, + }, + ); assign(globalObject, endowments); diff --git a/packages/ses/src/global-object.js b/packages/ses/src/global-object.js index 38ae618b2b..337ca1a61a 100644 --- a/packages/ses/src/global-object.js +++ b/packages/ses/src/global-object.js @@ -14,12 +14,9 @@ export function initGlobalObject( globalObject, intrinsics, newGlobalPropertyNames, - { - globalTransforms, - nativeBrander, - makeCompartmentConstructor, - compartmentPrototype, - }, + makeCompartmentConstructor, + compartmentPrototype, + { globalTransforms, nativeBrander }, ) { for (const [name, constant] of entries(constantProperties)) { defineProperty(globalObject, name, { @@ -62,13 +59,11 @@ export function initGlobalObject( }), }; - if (makeCompartmentConstructor) { - perCompartmentGlobals.Compartment = makeCompartmentConstructor( - compartmentPrototype, - intrinsics, - nativeBrander, - ); - } + perCompartmentGlobals.Compartment = makeCompartmentConstructor( + compartmentPrototype, + intrinsics, + nativeBrander, + ); // TODO These should still be tamed according to the whitelist before // being made available. diff --git a/packages/ses/src/lockdown-shim.js b/packages/ses/src/lockdown-shim.js index 45039c7176..9cf3d0ccbb 100644 --- a/packages/ses/src/lockdown-shim.js +++ b/packages/ses/src/lockdown-shim.js @@ -136,11 +136,16 @@ export function repairIntrinsics( // Initialize the powerful initial global, i.e., the global of the // start compartment, from the intrinsics. - initGlobalObject(globalThis, intrinsics, initialGlobalPropertyNames, { - nativeBrander, + initGlobalObject( + globalThis, + intrinsics, + initialGlobalPropertyNames, makeCompartmentConstructor, compartmentPrototype, - }); + { + nativeBrander, + }, + ); /** * 3. HARDEN to share the intrinsics. @@ -169,8 +174,8 @@ export function repairIntrinsics( } export const makeLockdown = ( - makeCompartmentConstructor = undefined, - compartmentPrototype = undefined, + makeCompartmentConstructor, + compartmentPrototype, ) => { const lockdown = (options = {}) => { const maybeHardenIntrinsics = repairIntrinsics( diff --git a/packages/ses/test/global-object.test.js b/packages/ses/test/global-object.test.js index 1448498990..997f1384b5 100644 --- a/packages/ses/test/global-object.test.js +++ b/packages/ses/test/global-object.test.js @@ -3,6 +3,10 @@ import sinon from 'sinon'; import { initGlobalObject } from '../src/global-object.js'; import stubFunctionConstructors from './stub-function-constructors.js'; import { sharedGlobalPropertyNames } from '../src/whitelist.js'; +import { + makeCompartmentConstructor, + CompartmentPrototype, +} from '../src/compartment-shim.js'; const { test } = tap; @@ -18,9 +22,16 @@ test('globalObject', t => { }; const globalObject = {}; - initGlobalObject(globalObject, intrinsics, sharedGlobalPropertyNames, { - nativeBrander(_) {}, - }); + initGlobalObject( + globalObject, + intrinsics, + sharedGlobalPropertyNames, + makeCompartmentConstructor, + CompartmentPrototype, + { + nativeBrander(_) {}, + }, + ); t.ok(globalObject instanceof Object); t.equal(Object.getPrototypeOf(globalObject), Object.prototype); @@ -28,7 +39,7 @@ test('globalObject', t => { t.notEqual(globalObject, globalThis); t.equal(globalObject.globalThis, globalObject); - t.equals(Object.getOwnPropertyNames(globalObject).length, 6); + t.equals(Object.getOwnPropertyNames(globalObject).length, 7); const descs = Object.getOwnPropertyDescriptors(globalObject); for (const [name, desc] of Object.entries(descs)) { diff --git a/packages/ses/test/whitelist-intrinsics.test.js b/packages/ses/test/whitelist-intrinsics.test.js index b63524369e..ab7d049cbd 100644 --- a/packages/ses/test/whitelist-intrinsics.test.js +++ b/packages/ses/test/whitelist-intrinsics.test.js @@ -1,6 +1,10 @@ import tap from 'tap'; import '../ses.js'; import { repairIntrinsics } from '../src/lockdown-shim.js'; +import { + makeCompartmentConstructor, + CompartmentPrototype, +} from '../src/compartment-shim.js'; const { test } = tap; @@ -21,7 +25,10 @@ test('whitelistPrototypes - on', t => { Object.prototype.hasOwnProperty.foo = 1; console.time('Benchmark repairIntrinsics()'); - const hardenIntrinsics = repairIntrinsics(); + const hardenIntrinsics = repairIntrinsics( + makeCompartmentConstructor, + CompartmentPrototype, + ); console.timeEnd('Benchmark repairIntrinsics()'); console.time('Benchmark hardenIntrinsics()'); From debc508cfe4ac5e59f7a38c5c41da31ee13404e8 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Wed, 2 Sep 2020 17:50:09 -0700 Subject: [PATCH 09/15] externalize compartment prototype setup --- packages/ses/src/compartment-shim.js | 8 ++++---- packages/ses/src/global-object.js | 4 ++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index 08d3aac3f9..8e54c378b9 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -138,10 +138,6 @@ export const makeCompartmentConstructor = ( }); } - defineProperties(Compartment, { - prototype: { value: compartmentPrototype }, - }); - return Compartment; }; @@ -154,3 +150,7 @@ export const Compartment = makeCompartmentConstructor( getGlobalIntrinsics(globalThis), nativeBrander, ); + +defineProperties(Compartment, { + prototype: { value: CompartmentPrototype }, +}); diff --git a/packages/ses/src/global-object.js b/packages/ses/src/global-object.js index 337ca1a61a..d6746a5c69 100644 --- a/packages/ses/src/global-object.js +++ b/packages/ses/src/global-object.js @@ -65,6 +65,10 @@ export function initGlobalObject( nativeBrander, ); + defineProperty(perCompartmentGlobals.Compartment, 'prototype', { + value: compartmentPrototype, + }); + // TODO These should still be tamed according to the whitelist before // being made available. for (const [name, value] of entries(perCompartmentGlobals)) { From fa774675b6a779e7f928e57dd475a9e24bb6f96c Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Wed, 2 Sep 2020 17:57:14 -0700 Subject: [PATCH 10/15] unthread compartment prototype from makeCompartmentConstructor --- packages/ses/src/compartment-shim.js | 9 ++------- packages/ses/src/global-object.js | 1 - packages/ses/src/module-shim.js | 1 - 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index 8e54c378b9..38f2429f35 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -77,11 +77,7 @@ defineProperties(InertCompartment, { prototype: { value: CompartmentPrototype }, }); -export const makeCompartmentConstructor = ( - compartmentPrototype, - intrinsics, - nativeBrander, -) => { +export const makeCompartmentConstructor = (intrinsics, nativeBrander) => { /** * Compartment() * Each Compartment constructor is a global. A host that wants to execute @@ -102,7 +98,7 @@ export const makeCompartmentConstructor = ( intrinsics, sharedGlobalPropertyNames, makeCompartmentConstructor, - compartmentPrototype, + Compartment.prototype, { globalTransforms, nativeBrander, @@ -146,7 +142,6 @@ export const makeCompartmentConstructor = ( const nativeBrander = tameFunctionToString(); export const Compartment = makeCompartmentConstructor( - CompartmentPrototype, getGlobalIntrinsics(globalThis), nativeBrander, ); diff --git a/packages/ses/src/global-object.js b/packages/ses/src/global-object.js index d6746a5c69..8ede1611a7 100644 --- a/packages/ses/src/global-object.js +++ b/packages/ses/src/global-object.js @@ -60,7 +60,6 @@ export function initGlobalObject( }; perCompartmentGlobals.Compartment = makeCompartmentConstructor( - compartmentPrototype, intrinsics, nativeBrander, ); diff --git a/packages/ses/src/module-shim.js b/packages/ses/src/module-shim.js index 9c5c501d6f..4412d4de4c 100644 --- a/packages/ses/src/module-shim.js +++ b/packages/ses/src/module-shim.js @@ -167,7 +167,6 @@ defineProperties(InertModularCompartment, { const nativeBrander = tameFunctionToString(); const SuperCompartment = makeCompartmentConstructor( - ModularCompartmentPrototype, getGlobalIntrinsics(globalThis), nativeBrander, ); From 3baa3743467e9b962350157adef2870936cbab90 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Wed, 2 Sep 2020 18:36:55 -0700 Subject: [PATCH 11/15] module shim patches whitelist --- packages/ses/ses.js | 3 +++ packages/ses/src/get-anonymous-intrinsics.js | 2 -- packages/ses/src/inert.js | 8 ------ packages/ses/src/module-shim.js | 23 ++++++----------- packages/ses/src/whitelist.js | 27 +++++++------------- 5 files changed, 20 insertions(+), 43 deletions(-) diff --git a/packages/ses/ses.js b/packages/ses/ses.js index 358abd465a..d90acc48c8 100644 --- a/packages/ses/ses.js +++ b/packages/ses/ses.js @@ -18,12 +18,15 @@ import './lockdown.js'; import { assign } from './src/commons.js'; import { makeLockdown } from './src/lockdown-shim.js'; import { makeCompartmentConstructor } from './src/compartment-shim.js'; +import { whitelist, modulesWhitelist } from './src/whitelist.js'; import { CompartmentPrototype, Compartment, StaticModuleRecord, } from './src/module-shim.js'; +assign(whitelist, modulesWhitelist); + assign(globalThis, { lockdown: makeLockdown(makeCompartmentConstructor, CompartmentPrototype), Compartment, diff --git a/packages/ses/src/get-anonymous-intrinsics.js b/packages/ses/src/get-anonymous-intrinsics.js index 7716fd6f0b..b9562038c7 100644 --- a/packages/ses/src/get-anonymous-intrinsics.js +++ b/packages/ses/src/get-anonymous-intrinsics.js @@ -1,7 +1,6 @@ import { getOwnPropertyDescriptor, getPrototypeOf } from './commons.js'; import { InertCompartment, - InertModularCompartment, InertStaticModuleRecord, } from './inert.js'; @@ -112,7 +111,6 @@ export function getAnonymousIntrinsics() { '%ThrowTypeError%': ThrowTypeError, '%TypedArray%': TypedArray, '%InertCompartment%': InertCompartment, - '%InertModularCompartment%': InertModularCompartment, '%InertStaticModuleRecord%': InertStaticModuleRecord, }; diff --git a/packages/ses/src/inert.js b/packages/ses/src/inert.js index d4a00ad15c..24067a5d0c 100644 --- a/packages/ses/src/inert.js +++ b/packages/ses/src/inert.js @@ -6,14 +6,6 @@ export const InertCompartment = function Compartment( throw new TypeError('Not available'); }; -export const InertModularCompartment = function Compartment( - _endowments = {}, - _modules = {}, - _options = {}, -) { - throw new TypeError('Not available'); -}; - // It is not clear that // `StaticModuleRecord.prototype.constructor` needs to be the // useless `InertStaticModuleRecord` rather than diff --git a/packages/ses/src/module-shim.js b/packages/ses/src/module-shim.js index 4412d4de4c..8dcb566823 100644 --- a/packages/ses/src/module-shim.js +++ b/packages/ses/src/module-shim.js @@ -16,7 +16,7 @@ import { link } from './module-link.js'; import { getDeferredExports } from './module-proxy.js'; import { getGlobalIntrinsics } from './intrinsics.js'; import { tameFunctionToString } from './tame-function-tostring.js'; -import { InertModularCompartment, InertStaticModuleRecord } from './inert.js'; +import { InertCompartment, InertStaticModuleRecord } from './inert.js'; import { CompartmentPrototype, makeCompartmentConstructor, @@ -92,7 +92,7 @@ const assertModuleHooks = compartment => { }; const ModularCompartmentPrototypeExtension = { - constructor: InertModularCompartment, + constructor: InertCompartment, module(specifier) { if (typeof specifier !== 'string') { @@ -153,14 +153,10 @@ const ModularCompartmentPrototypeExtension = { }, }; -const ModularCompartmentPrototype = create(Object.prototype, { - ...getOwnPropertyDescriptors(CompartmentPrototype), - ...getOwnPropertyDescriptors(ModularCompartmentPrototypeExtension), -}); - -defineProperties(InertModularCompartment, { - prototype: { value: ModularCompartmentPrototype }, -}); +defineProperties( + CompartmentPrototype, + getOwnPropertyDescriptors(ModularCompartmentPrototypeExtension), +); // TODO wasteful to do it twice, once before lockdown and again during // lockdown. The second is doubly indirect. We should at least flatten that. @@ -227,10 +223,7 @@ const ModularCompartment = function Compartment( }; defineProperties(ModularCompartment, { - prototype: { value: ModularCompartmentPrototype }, + prototype: { value: CompartmentPrototype }, }); -export { - ModularCompartment as Compartment, - ModularCompartmentPrototype as CompartmentPrototype, -}; +export { ModularCompartment as Compartment, CompartmentPrototype }; diff --git a/packages/ses/src/whitelist.js b/packages/ses/src/whitelist.js index ec38913ad7..c1cd2fca13 100644 --- a/packages/ses/src/whitelist.js +++ b/packages/ses/src/whitelist.js @@ -1789,12 +1789,6 @@ export const whitelist = { toString: fn, }, - '%InertModularCompartment%': { - '[[Proto]]': '%FunctionPrototype%', - prototype: '%ModularCompartmentPrototype%', - toString: fn, - }, - '%CompartmentPrototype%': { constructor: '%InertCompartment%', evaluate: fn, @@ -1804,22 +1798,21 @@ export const whitelist = { toString: fn, }, - '%ModularCompartmentPrototype%': { - constructor: '%InertModularCompartment%', - evaluate: fn, - globalThis: getter, - name: getter, + lockdown: fn, + harden: fn, + + '%InitialGetStackString%': fn, +}; + +export const modulesWhitelist = { + '%CompartmentPrototype%': { + ...whitelist['%CompartmentPrototype%'], import: asyncFn, load: asyncFn, importNow: fn, module: fn, - // Should this be proposed? - toString: fn, }, - lockdown: fn, - harden: fn, - StaticModuleRecord: { '[[Proto]]': '%FunctionPrototype%', prototype: '%StaticModuleRecordPrototype%', @@ -1837,6 +1830,4 @@ export const whitelist = { // Should this be proposed? toString: fn, }, - - '%InitialGetStackString%': fn, }; From 610dac7563700c106ee4f420093c1ffd68e62b0f Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Wed, 2 Sep 2020 21:11:43 -0700 Subject: [PATCH 12/15] combined feedback --- packages/ses/package.json | 3 ++- packages/ses/src/compartment-shim.js | 11 ++++++++--- packages/ses/src/get-anonymous-intrinsics.js | 5 +---- packages/ses/src/module-instance.js | 2 +- packages/ses/src/module-shim.js | 15 +++++++++++++-- 5 files changed, 25 insertions(+), 11 deletions(-) diff --git a/packages/ses/package.json b/packages/ses/package.json index 6ecc3bdb25..5f29e2964b 100644 --- a/packages/ses/package.json +++ b/packages/ses/package.json @@ -29,7 +29,8 @@ "clean": "rm -rf dist", "lint": "eslint '**/*.js'", "lint-fix": "eslint --fix '**/*.js'", - "test": "yarn build && tap --no-esm --no-coverage --reporter spec 'test/**/*.test.js'", + "qt": "tap --no-esm --no-coverage --reporter spec 'test/**/*.test.js'", + "test": "yarn build && yarn qt", "test262": "tap --no-esm --no-coverage --reporter spec test262/*.js", "build": "rollup --config rollup.config.js", "demo": "http-server -o /demos" diff --git a/packages/ses/src/compartment-shim.js b/packages/ses/src/compartment-shim.js index 38f2429f35..94c9ce0b07 100644 --- a/packages/ses/src/compartment-shim.js +++ b/packages/ses/src/compartment-shim.js @@ -37,6 +37,8 @@ export const CompartmentPrototype = { */ evaluate(source, options = {}) { // Perform this check first to avoid unecessary sanitizing. + // TODO Maybe relax string check and coerce instead: + // https://github.com/tc39/proposal-dynamic-code-brand-checks if (typeof source !== 'string') { throw new TypeError('first argument of evaluate() must be a string'); } @@ -44,8 +46,8 @@ export const CompartmentPrototype = { // Extract options, and shallow-clone transforms. const { transforms = [], - localLexicals = undefined, sloppyGlobalsMode = false, + __moduleShimLexicals__ = undefined, } = options; const localTransforms = [...transforms]; @@ -56,9 +58,12 @@ export const CompartmentPrototype = { } = privateFields.get(this); let localObject = globalLexicals; - if (localLexicals !== undefined) { + if (__moduleShimLexicals__ !== undefined) { localObject = create(null, getOwnPropertyDescriptors(globalLexicals)); - defineProperties(localObject, getOwnPropertyDescriptors(localLexicals)); + defineProperties( + localObject, + getOwnPropertyDescriptors(__moduleShimLexicals__), + ); } return performEval(source, globalObject, localObject, { diff --git a/packages/ses/src/get-anonymous-intrinsics.js b/packages/ses/src/get-anonymous-intrinsics.js index b9562038c7..ae1c56587c 100644 --- a/packages/ses/src/get-anonymous-intrinsics.js +++ b/packages/ses/src/get-anonymous-intrinsics.js @@ -1,8 +1,5 @@ import { getOwnPropertyDescriptor, getPrototypeOf } from './commons.js'; -import { - InertCompartment, - InertStaticModuleRecord, -} from './inert.js'; +import { InertCompartment, InertStaticModuleRecord } from './inert.js'; /** * Object.getConstructorOf() diff --git a/packages/ses/src/module-instance.js b/packages/ses/src/module-instance.js index 6545c73d14..e1d24f8912 100644 --- a/packages/ses/src/module-instance.js +++ b/packages/ses/src/module-instance.js @@ -318,7 +318,7 @@ export const makeModuleInstance = ( let optFunctor = compartment.evaluate(functorSource, { globalObject, - localLexicals, // live bindings over global lexicals + __moduleShimLexicals__: localLexicals, }); let didThrow = false; let thrownError; diff --git a/packages/ses/src/module-shim.js b/packages/ses/src/module-shim.js index 8dcb566823..f26e9905f5 100644 --- a/packages/ses/src/module-shim.js +++ b/packages/ses/src/module-shim.js @@ -4,7 +4,6 @@ import babel from '@agoric/babel-standalone'; import { makeModuleAnalyzer } from '@agoric/transform-module'; import { - create, defineProperties, entries, freeze, @@ -44,6 +43,16 @@ export function StaticModuleRecord(string, url) { const analysis = analyzeModule({ string, url }); + // `keys` below is Object.keys which shows only the names of string-named + // enumerable own properties. + // By contrast, Reflect.ownKeys also shows the names of symbol-named + // enumerable own properties. + // `sort` defaults to a comparator that stringifies the array elements in a + // manner which fails on symbol-named properties. + // Distinct symbols can have the same stringification. + // + // The other subtle reason this is correct is that analysis.imports should + // only have identifier-named own properties. this.imports = keys(analysis.imports).sort(); freeze(this); @@ -173,7 +182,9 @@ const ModularCompartment = function Compartment( options = {}, ) { if (new.target === undefined) { - throw new TypeError(`TODO must constructor`); // TODO + throw new TypeError( + `Class constructor Compartment cannot be invoked without 'new'`, + ); } SuperCompartment.call(this, endowments, moduleMap, options); From ee3edce65b44799f995fa29d303543277e56c6a8 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 3 Sep 2020 10:33:35 -0700 Subject: [PATCH 13/15] Use Reflect.construct on SuperCompartment --- packages/ses/src/module-shim.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/ses/src/module-shim.js b/packages/ses/src/module-shim.js index f26e9905f5..f4e488ec70 100644 --- a/packages/ses/src/module-shim.js +++ b/packages/ses/src/module-shim.js @@ -187,7 +187,7 @@ const ModularCompartment = function Compartment( ); } - SuperCompartment.call(this, endowments, moduleMap, options); + const self = Reflect.construct(SuperCompartment, [endowments, moduleMap, options], new.target); const { resolveHook, importHook, moduleMapHook } = options; @@ -222,7 +222,7 @@ const ModularCompartment = function Compartment( } } - privateFields.set(this, { + privateFields.set(self, { resolveHook, importHook, moduleMap, @@ -231,6 +231,8 @@ const ModularCompartment = function Compartment( deferredExports, instances, }); + + return self; }; defineProperties(ModularCompartment, { From cbcd102bfe81d02f209cadd68e0c45881a0c0e16 Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Thu, 3 Sep 2020 10:56:45 -0700 Subject: [PATCH 14/15] Lint fix --- packages/ses/src/module-shim.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/ses/src/module-shim.js b/packages/ses/src/module-shim.js index f4e488ec70..7dd2f64cff 100644 --- a/packages/ses/src/module-shim.js +++ b/packages/ses/src/module-shim.js @@ -187,7 +187,11 @@ const ModularCompartment = function Compartment( ); } - const self = Reflect.construct(SuperCompartment, [endowments, moduleMap, options], new.target); + const self = Reflect.construct( + SuperCompartment, + [endowments, moduleMap, options], + new.target, + ); const { resolveHook, importHook, moduleMapHook } = options; From 33666ed60ce3b30e7b9701474027b8a1fe98c53f Mon Sep 17 00:00:00 2001 From: Kris Kowal Date: Tue, 1 Sep 2020 16:43:44 -0700 Subject: [PATCH 15/15] WIP fix context object in CommonJS --- packages/endo/src/parse.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/endo/src/parse.js b/packages/endo/src/parse.js index c54cf3b6bc..b4c61ae906 100644 --- a/packages/endo/src/parse.js +++ b/packages/endo/src/parse.js @@ -57,7 +57,8 @@ export const parseCjs = (source, _specifier, location, packageLocation) => { return namespace; }); - functor( + functor.call( + exports, require, exports, module,