1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
// META: global=window,worker
// META: script=../resources/utils.js
promise_test(async () => {
// t.add_cleanup doesn't work when Object.prototype.then is overwritten, so
// these tests use add_completion_callback for cleanup instead.
add_completion_callback(() => delete Object.prototype.then);
const hello = new TextEncoder().encode('hello');
const bye = new TextEncoder().encode('bye');
const rs = new ReadableStream({
start(controller) {
controller.enqueue(hello);
controller.close();
}
});
const resp = new Response(rs);
Object.prototype.then = (onFulfilled) => {
delete Object.prototype.then;
onFulfilled({done: false, value: bye});
};
const text = await resp.text();
delete Object.prototype.then;
assert_equals(text, 'hello', 'The value should be "hello".');
}, 'Attempt to inject {done: false, value: bye} via Object.prototype.then.');
promise_test(async (t) => {
add_completion_callback(() => delete Object.prototype.then);
const hello = new TextEncoder().encode('hello');
const rs = new ReadableStream({
start(controller) {
controller.enqueue(hello);
controller.close();
}
});
const resp = new Response(rs);
Object.prototype.then = (onFulfilled) => {
delete Object.prototype.then;
onFulfilled({done: false, value: undefined});
};
const text = await resp.text();
delete Object.prototype.then;
assert_equals(text, 'hello', 'The value should be "hello".');
}, 'Attempt to inject value: undefined via Object.prototype.then.');
promise_test(async (t) => {
add_completion_callback(() => delete Object.prototype.then);
const hello = new TextEncoder().encode('hello');
const rs = new ReadableStream({
start(controller) {
controller.enqueue(hello);
controller.close();
}
});
const resp = new Response(rs);
Object.prototype.then = (onFulfilled) => {
delete Object.prototype.then;
onFulfilled(undefined);
};
const text = await resp.text();
delete Object.prototype.then;
assert_equals(text, 'hello', 'The value should be "hello".');
}, 'Attempt to inject undefined via Object.prototype.then.');
promise_test(async (t) => {
add_completion_callback(() => delete Object.prototype.then);
const hello = new TextEncoder().encode('hello');
const rs = new ReadableStream({
start(controller) {
controller.enqueue(hello);
controller.close();
}
});
const resp = new Response(rs);
Object.prototype.then = (onFulfilled) => {
delete Object.prototype.then;
onFulfilled(8.2);
};
const text = await resp.text();
delete Object.prototype.then;
assert_equals(text, 'hello', 'The value should be "hello".');
}, 'Attempt to inject 8.2 via Object.prototype.then.');
promise_test(async () => {
add_completion_callback(() => delete Object.prototype.then);
const hello = new TextEncoder().encode('hello');
const bye = new TextEncoder().encode('bye');
const resp = new Response(hello);
Object.prototype.then = (onFulfilled) => {
delete Object.prototype.then;
onFulfilled({done: false, value: bye});
};
const text = await resp.text();
delete Object.prototype.then;
assert_equals(text, 'hello', 'The value should be "hello".');
}, 'intercepting arraybuffer to text conversion via Object.prototype.then ' +
'should not be possible');
promise_test(async () => {
add_completion_callback(() => delete Object.prototype.then);
const u8a123 = new Uint8Array([1, 2, 3]);
const u8a456 = new Uint8Array([4, 5, 6]);
const resp = new Response(u8a123);
const writtenBytes = [];
const ws = new WritableStream({
write(chunk) {
writtenBytes.push(...Array.from(chunk));
}
});
Object.prototype.then = (onFulfilled) => {
delete Object.prototype.then;
onFulfilled({done: false, value: u8a456});
};
await resp.body.pipeTo(ws);
delete Object.prototype.then;
assert_array_equals(writtenBytes, u8a123, 'The value should be [1, 2, 3]');
}, 'intercepting arraybuffer to body readable stream conversion via ' +
'Object.prototype.then should not be possible');
|