endo
endo copied to clipboard
endojs
Endo is a distributed secure JavaScript sandbox, based on SES
Well after https://github.com/Agoric/agoric-sdk/pull/5922 removes uses of this unsafe kludgy option, this PR removes the option itself. Good riddance!
This ship has probably already sailed, but the names of `serialize` and `unserialize` are misleading—they don't actually produce/consume a serialized representation, but rather a CapData structure that in practice is...
Security researcher @nvk0x pointed out to us that anyone attempting to run `npm install` or `yarn install` in one of the Compartment Mapper test fixtures would be vulnerable to an...
ses: (`master` at time of writing [ac1cc0](https://github.com/endojs/endo/tree/ac1cc06f3665c94ace2f551a07072cc094706a62)) node: v14.17.6 (and v16.9.1, v17.2.0) ```js require('ses/lockdown'); lockdown({ errorTaming: 'unsafe', stackFiltering: 'verbose', consoleTaming: 'unsafe', domainTaming: 'unsafe' }) console.error(new Error('boom')); ``` logs only ```...
https://github.com/Agoric/agoric-sdk/pull/5892/files?diff=split&w=1#r937349609 noticed that disabling `trackTurns` (https://github.com/Agoric/agoric-sdk/issues/5886) caused a GC-sensitive SwingSet unit test to fail, because an object (a Presence delivered into a vat method) was retained too long when `trackTurns`...
https://github.com/Agoric/agoric-sdk/pull/5774/ **Acceptance criteria** - module imports either have side-effects OR bindings - Ava macros work
@erights and I were investigating a [potential object-retention problem](https://github.com/Agoric/agoric-sdk/pull/5892/files?diff=split&w=1#r937349609) with the track-turns implementation, when we noticed that the following line: https://github.com/endojs/endo/blob/1895f5b0172cadacb4fc54b9f64c7e0c8314d041/packages/eventual-send/src/track-turns.js#L81 would be vulnerable to the wrapped function's return value...
We will eventually need a way to generate (`assert`, `console`) pairs that communicate notes through external storage instead of memory, as assert notes close over a graph of indefinite size...
In a discussion about input validation to avoid reentrancy risks in cases such as `amount.brand`, I asked whether stamps (a la [ejectorsGuardsTrademarks.js](https://github.com/googlearchive/caja/blob/master/src/com/google/caja/ses/ejectorsGuardsTrademarks.js) would work? @erights writes: > ... the path...
Per #123, this is a note that there remains some value in eventually porting ejectors, guards, & trademarks from Google Caja. https://github.com/Agoric/SES/blob/0.5.0/src/old/ejectorsGuardsTrademarks.js