Caja Security Advisory 2017-11-14

Skip to first unread message

Kevin Reid

Nov 14, 2017, 4:29:52 PM11/14/17
to Google Caja Discuss
## Background

Browsers have recently added new language features which allow executing code from a string:

* the "import" expression, and
* async functions and async generators (rather, the corresponding constructors of such functions).

SES, being unaware of these features, could not prevent them from being used to execute arbitrary code.

## Impact and Advice

This is a complete breach of the Caja sandbox. All users should immediately upgrade to Caja [v6012]( or later.

In order to prevent future vulnerabilities of this form, we have switched to having SES and Caja always parse and rewrite the input JS, to guarantee that the input is within the correctly-understood subset of the language. This unfortunately means that source position information in exceptions will not be useful. We are looking into solutions for this problem.
Reply all
Reply to author
0 new messages