#StackBounty: #web-browser #javascript #format-string #string #web-assembly A runtime sometimes converts string arguments (or string re…

Bounty: 100

Suppose that we have this code (in TypeScript syntax):

function one(str: string): string {
  // do something with the string
  return str
}

function two() {
  let s = getSomeString() // returns some unknown string that may contain surrogates
  s = one(s)
  // ...
}

two()

Now suppose that when the string s is passed into the one(s) call, the runtime, instead of returning the str string with WTF characters in tact, returns a copy of the str string with some parts replaced (emphasis: it is not the implementation of one or two that does this replacement, it happens at the return statement where str is returned by the runtime). In particular, if the string contains WTF-16 isolated surrogates (invalid UTF-16), these will be replaced in the copy (returned by the return str statement) with the unicode replacement character. It is important to note that this is not common, and most developers will not be aware of this until it happens.

Imagine that the runtime did not perform any format conversions between function calls before, but it recently added this conversion of function arguments or their return values (without a function implementation knowing how it will be handled).

In such a runtime, could there be a security issue after the runtime has switched from never changing strings to now doing it sometimes? If so, what could happen?


In particular, the runtime I am thinking about is JavaScript interfacing with WebAssembly in the browser in the potential near future if the new "Interface Types" proposal passes a vote for string passing to have WTF-to-UTF sanitization.

What I could imagine as an example is some third party library updating the implementation of one or more of their functions from JavaScript to WebAssembly, and in turn, causing strings being passed from JS to WebAssembly (or vice versa) to be replaced by sanitized copies modified from their original form, causing unexpected errors, or in the worst case, a vulnerability.

Is there a potential problem here?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.