feat(ses,pass-style): use no-trapping integrity level for safety

Author: erights

packages/captp/src/captp.js

@@ -47,7 +47,7 @@ const reverseSlot = slot => {
 };
 
 /**
- * @typedef {object} CapTPImportExportTables 
+ * @typedef {object} CapTPImportExportTables
  * @property {(value: any) => CapTPSlot} makeSlotForValue
  * @property {(slot: CapTPSlot, iface: string | undefined) => any} makeValueForSlot
  * @property {(slot: CapTPSlot) => boolean} hasImport
@@ -58,12 +58,12 @@ const reverseSlot = slot => {
  * @property {(slot: CapTPSlot, value: any) => void} markAsExported
  * @property {(slot: CapTPSlot) => void} deleteExport
  * @property {() => void} didDisconnect
- 
+
  * @typedef {object} MakeCapTPImportExportTablesOptions
  * @property {boolean} gcImports
  * @property {(slot: CapTPSlot) => void} releaseSlot
  * @property {(slot: CapTPSlot) => RemoteKit} makeRemoteKit
- 
+
  * @param {MakeCapTPImportExportTablesOptions} options
  * @returns {CapTPImportExportTables}
  */

packages/captp/src/trap.js

@@ -1,5 +1,7 @@
 // Lifted mostly from `@endo/eventual-send/src/E.js`.
 
+const { freeze } = Object;
+
 /**
  * Default implementation of Trap for near objects.
  *
@@ -63,7 +65,10 @@ const TrapProxyHandler = (x, trapImpl) => {
 export const makeTrap = trapImpl => {
   const Trap = x => {
     const handler = TrapProxyHandler(x, trapImpl);
-    return harden(new Proxy(() => {}, handler));
+    return new Proxy(
+      freeze(() => {}),
+      handler,
+    );
   };
 
   const makeTrapGetterProxy = x => {
@@ -77,7 +82,7 @@ export const makeTrap = trapImpl => {
         return trapImpl.get(x, prop);
       },
     });
-    return new Proxy(Object.create(null), handler);
+    return new Proxy(freeze(Object.create(null)), handler);
   };
   Trap.get = makeTrapGetterProxy;
 

packages/eventual-send/src/E.js

@@ -2,7 +2,7 @@ import { trackTurns } from './track-turns.js';
 import { makeMessageBreakpointTester } from './message-breakpoints.js';
 
 const { details: X, quote: q, Fail, error: makeError } = assert;
-const { assign, create } = Object;
+const { assign, create, freeze } = Object;
 
 /**
  * @import { HandledPromiseConstructor } from './types.js';
@@ -171,6 +171,13 @@ const makeEGetProxyHandler = (x, HandledPromise) =>
  * @param {HandledPromiseConstructor} HandledPromise
  */
 const makeE = HandledPromise => {
+  // Note the use of `freeze` rather than `harden` below. This is because
+  // `harden` now implies no-trapping, and we depend on proxies with these
+  // almost-empty targets to remain trapping for traps `get`, `apply`, and `set`
+  // which can still be interesting even when the target is frozen.
+  // `get` and `has`, if not naming an own property, are still general traps,
+  // which we rely on. `apply`, surprisingly perhaps, is free to ignore the
+  // target's call behavior and just do its own thing instead.
   return harden(
     assign(
       /**
@@ -182,8 +189,12 @@ const makeE = HandledPromise => {
        * @param {T} x target for method/function call
        * @returns {ECallableOrMethods<RemoteFunctions<T>>} method/function call proxy
        */
-      // @ts-expect-error XXX typedef
-      x => harden(new Proxy(() => {}, makeEProxyHandler(x, HandledPromise))),
+      x =>
+        // @ts-expect-error XXX typedef
+        new Proxy(
+          freeze(() => {}),
+          makeEProxyHandler(x, HandledPromise),
+        ),
       {
         /**
          * E.get(x) returns a proxy on which you can get arbitrary properties.
@@ -198,8 +209,9 @@ const makeE = HandledPromise => {
          */
         get: x =>
           // @ts-expect-error XXX typedef
-          harden(
-            new Proxy(create(null), makeEGetProxyHandler(x, HandledPromise)),
+          new Proxy(
+            freeze(create(null)),
+            makeEGetProxyHandler(x, HandledPromise),
           ),
 
         /**
@@ -224,8 +236,9 @@ const makeE = HandledPromise => {
          */
         sendOnly: x =>
           // @ts-expect-error XXX typedef
-          harden(
-            new Proxy(() => {}, makeESendOnlyProxyHandler(x, HandledPromise)),
+          new Proxy(
+            freeze(() => {}),
+            makeESendOnlyProxyHandler(x, HandledPromise),
           ),
 
         /**

packages/eventual-send/src/handled-promise.js

@@ -307,6 +307,8 @@ export const makeHandledPromise = () => {
         const { proxy: proxyOpts } = options;
         let presence;
         if (proxyOpts) {
+          // TODO for these cases, it will be unreasonably hard for all uses
+          // to avoid hardening the returned proxy.
           const {
             handler: proxyHandler,
             target: proxyTarget,

packages/exo/src/exo-makers.js

@@ -8,7 +8,14 @@ import { defendPrototype, defendPrototypeKit } from './exo-tools.js';
  * @import {Amplify, ExoClassKitMethods, ExoClassMethods, FarClassOptions, Guarded, GuardedKit, ExoClassInterfaceGuardKit, IsInstance, KitContext, ExoClassInterfaceGuard, Methods, FacetName} from './types.js';
  */
 
-const { create, seal, freeze, defineProperty, values } = Object;
+const {
+  create,
+  seal,
+  defineProperty,
+  values,
+  // @ts-expect-error TS doesn't know this is on ObjectConstructor
+  suppressTrapping,
+} = Object;
 
 // Turn on to give each exo instance its own toStringTag value.
 const LABEL_INSTANCES = environmentOptionsListHas('DEBUG', 'label-instances');
@@ -92,7 +99,7 @@ export const defineExoClass = (
 
     // Be careful not to freeze the state record
     /** @type {import('./types.js').ClassContext<ReturnType<I>,M>} */
-    const context = freeze({ state, self });
+    const context = suppressTrapping({ state, self });
     contextMap.set(self, context);
     if (finish) {
       finish(context);
@@ -173,7 +180,7 @@ export const defineExoClassKit = (
     });
     context.facets = facets;
     // Be careful not to freeze the state record
-    freeze(context);
+    suppressTrapping(context);
     if (finish) {
       finish(context);
     }

packages/far/test/marshal-far-function.test.js

@@ -58,7 +58,7 @@ test('Data can contain far functions', t => {
   const arrow = Far('arrow', a => a + 1);
   t.is(passStyleOf(harden({ x: 8, foo: arrow })), 'copyRecord');
   const mightBeMethod = a => a + 1;
-  t.throws(() => passStyleOf(freeze({ x: 8, foo: mightBeMethod })), {
+  t.throws(() => passStyleOf(harden({ x: 8, foo: mightBeMethod })), {
     message: /Remotables with non-methods like "x" /,
   });
 });

packages/marshal/src/encodeToCapData.js

@@ -30,7 +30,8 @@ const {
   is,
   entries,
   fromEntries,
-  freeze,
+  // @ts-expect-error TS doesn't know this is on ObjectConstructor
+  suppressTrapping,
 } = Object;
 
 /**
@@ -176,10 +177,10 @@ export const makeEncodeToCapData = (encodeOptions = {}) => {
             // We harden the entire capData encoding before we return it.
             // `encodeToCapData` requires that its input be Passable, and
             // therefore hardened.
-            // The `freeze` here is needed anyway, because the `rest` is
+            // The `suppressTrapping` here is needed anyway, because the `rest` is
             // freshly constructed by the `...` above, and we're using it
             // as imput in another call to `encodeToCapData`.
-            result.rest = encodeToCapDataRecur(freeze(rest));
+            result.rest = encodeToCapDataRecur(suppressTrapping(rest));
           }
           return result;
         }

packages/marshal/src/marshal-stringify.js

@@ -5,6 +5,8 @@ import { makeMarshal } from './marshal.js';
 
 /** @import {Passable} from '@endo/pass-style' */
 
+const { freeze } = Object;
+
 /** @type {import('./types.js').ConvertValToSlot<any>} */
 const doNotConvertValToSlot = val =>
   Fail`Marshal's stringify rejects presences and promises ${val}`;
@@ -23,7 +25,13 @@ const badArrayHandler = harden({
   },
 });
 
-const badArray = harden(new Proxy(harden([]), badArrayHandler));
+// Note the use of `freeze` rather than `harden` below. This is because
+// `harden` now implies no-trapping, and we depend on proxies with these
+// almost-empty targets to remain trapping for the `get` trap
+// which can still be interesting even when the target is frozen.
+// `get`, if not naming an own property, are still general traps,
+// which we rely on.
+const badArray = new Proxy(freeze([]), badArrayHandler);
 
 const { serialize, unserialize } = makeMarshal(
   doNotConvertValToSlot,
@@ -48,7 +56,13 @@ harden(stringify);
  */
 const parse = str =>
   unserialize(
-    harden({
+    // Note the use of `freeze` rather than `harden` below. This is because
+    // `harden` now implies no-trapping, and we depend on proxies with these
+    // almost-empty targets to remain trapping for the `get` trap
+    // which can still be interesting even when the target is frozen.
+    // `get`, if not naming an own property, are still general traps,
+    // which we rely on.
+    freeze({
       body: str,
       slots: badArray,
     }),

packages/marshal/test/marshal-far-function.test.js

@@ -60,7 +60,7 @@ test('Data can contain far functions', t => {
   const arrow = Far('arrow', a => a + 1);
   t.is(passStyleOf(harden({ x: 8, foo: arrow })), 'copyRecord');
   const mightBeMethod = a => a + 1;
-  t.throws(() => passStyleOf(freeze({ x: 8, foo: mightBeMethod })), {
+  t.throws(() => passStyleOf(harden({ x: 8, foo: mightBeMethod })), {
     message: /Remotables with non-methods like "x" /,
   });
 });

packages/pass-style/src/passStyle-helpers.js

@@ -11,8 +11,9 @@ const {
   getOwnPropertyDescriptor,
   getPrototypeOf,
   hasOwnProperty: objectHasOwnProperty,
-  isFrozen,
   prototype: objectPrototype,
+  // @ts-expect-error TS does not yet have `isNoTrapping` on ObjectConstructor
+  isNoTrapping,
 } = Object;
 const { apply } = Reflect;
 const { toStringTag: toStringTagSymbol } = Symbol;
@@ -165,7 +166,7 @@ const makeCheckTagRecord = checkProto => {
       (isObject(tagRecord) ||
         (!!check &&
           CX(check)`A non-object cannot be a tagRecord: ${tagRecord}`)) &&
-      (isFrozen(tagRecord) ||
+      (isNoTrapping(tagRecord) ||
         (!!check && CX(check)`A tagRecord must be frozen: ${tagRecord}`)) &&
       (!isArray(tagRecord) ||
         (!!check && CX(check)`An array cannot be a tagRecord: ${tagRecord}`)) &&