Don't compile functions in a context the caller doesn't have access to

src/builtins.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/builtins.h"
 
 #include "src/api-arguments.h"
 #include "src/api-natives.h"
 #include "src/api.h"
 #include "src/base/once.h"
@@ skipping 4084 matching lines @@
 
 
 // static
 void Builtins::Generate_DatePrototypeGetUTCSeconds(MacroAssembler* masm) {
   Generate_DatePrototype_GetField(masm, JSDate::kSecondUTC);
 }
 
 
 namespace {
 
+// Walk up the stack expecting:
+// - ExitFrame
+//  - call() (maybe)
+//  - apply() (maybe)
+//  - bind() (maybe)
+// - JSFunction caller (maybe)
+//
+// return true if the caller has access to the callee or if an exit frame was
+// hit, in which case allow it through, as it could have come through the api.
+bool HasAccessToContextForCreateDynamicFunction(
+    Isolate* isolate, Handle<JSObject> target_global_proxy) {
+  bool exit_handled = true;
+  bool has_access = true;
+  bool done = false;
+  StackFrameIterator it(isolate);
+  // Skip exit frame that corresponds to the builtin call.
+  it.Advance();
+  for (; !it.done() && !done; it.Advance()) {
+    StackFrame* raw_frame = it.frame();
+    if (!raw_frame->is_java_script()) {
+      if (raw_frame->is_exit()) exit_handled = false;
+      continue;
+    }
+    JavaScriptFrame* outer_frame = JavaScriptFrame::cast(raw_frame);
+    List<FrameSummary> frames(FLAG_max_inlining_levels + 1);
+    outer_frame->Summarize(&frames);
+    for (int i = frames.length() - 1; i >= 0 && !done; --i) {
+      FrameSummary& frame = frames[i];
+      Handle<JSFunction> fun = frame.function();
+      if (!isolate->MayAccess(handle(fun->context()), target_global_proxy)) {
+        has_access = false;
+        done = true;
+        continue;
+      }
+      done = true;
+    }
+  }
+  return !exit_handled || has_access;
+}
+
 // ES6 section 19.2.1.1.1 CreateDynamicFunction
-MaybeHandle<JSFunction> CreateDynamicFunction(
+MaybeHandle<Object> CreateDynamicFunction(
     Isolate* isolate,
     BuiltinArguments<BuiltinExtraArguments::kTargetAndNewTarget> args,
     const char* token) {
   // Compute number of arguments, ignoring the receiver.
   DCHECK_LE(1, args.length());
   int const argc = args.length() - 1;
 
+  Handle<JSFunction> target = args.target<JSFunction>();
+  Handle<JSObject> target_global_proxy(target->global_proxy(), isolate);
+
+  if (!HasAccessToContextForCreateDynamicFunction(isolate,
+                                                  target_global_proxy)) {
+    isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined);
+    return isolate->factory()->undefined_value();
+  }
+
   // Build the source string.
   Handle<String> source;
   {
     IncrementalStringBuilder builder(isolate);
     builder.AppendCharacter('(');
     builder.AppendCString(token);
     builder.AppendCharacter('(');
     bool parenthesis_in_arg_string = false;
     if (argc > 1) {
       for (int i = 1; i < argc; ++i) {
         if (i > 1) builder.AppendCharacter(',');
         Handle<String> param;
         ASSIGN_RETURN_ON_EXCEPTION(
             isolate, param, Object::ToString(isolate, args.at<Object>(i)),
-            JSFunction);
+            Object);
         param = String::Flatten(param);
         builder.AppendString(param);
         // If the formal parameters string include ) - an illegal
         // character - it may make the combined function expression
         // compile. We avoid this problem by checking for this early on.
         DisallowHeapAllocation no_gc;  // Ensure vectors stay valid.
         String::FlatContent param_content = param->GetFlatContent();
         for (int i = 0, length = param->length(); i < length; ++i) {
           if (param_content.Get(i) == ')') {
             parenthesis_in_arg_string = true;
             break;
           }
         }
       }
       // If the formal parameters include an unbalanced block comment, the
       // function must be rejected. Since JavaScript does not allow nested
       // comments we can include a trailing block comment to catch this.
       builder.AppendCString("\n/**/");
     }
     builder.AppendCString(") {\n");
     if (argc > 0) {
       Handle<String> body;
       ASSIGN_RETURN_ON_EXCEPTION(
           isolate, body, Object::ToString(isolate, args.at<Object>(argc)),
-          JSFunction);
+          Object);
       builder.AppendString(body);
     }
     builder.AppendCString("\n})");
-    ASSIGN_RETURN_ON_EXCEPTION(isolate, source, builder.Finish(), JSFunction);
+    ASSIGN_RETURN_ON_EXCEPTION(isolate, source, builder.Finish(), Object);
 
     // The SyntaxError must be thrown after all the (observable) ToString
     // conversions are done.
     if (parenthesis_in_arg_string) {
       THROW_NEW_ERROR(isolate,
                       NewSyntaxError(MessageTemplate::kParenthesisInArgString),
-                      JSFunction);
+                      Object);
     }
   }
 
   // Compile the string in the constructor and not a helper so that errors to
   // come from here.
-  Handle<JSFunction> target = args.target<JSFunction>();
-  Handle<JSObject> target_global_proxy(target->global_proxy(), isolate);
   Handle<JSFunction> function;
   {
     ASSIGN_RETURN_ON_EXCEPTION(
         isolate, function,
         CompileString(handle(target->native_context(), isolate), source,
                       ONLY_SINGLE_FUNCTION_LITERAL),
-        JSFunction);
+        Object);
     Handle<Object> result;
     ASSIGN_RETURN_ON_EXCEPTION(
         isolate, result,
         Execution::Call(isolate, function, target_global_proxy, 0, nullptr),
-        JSFunction);
+        Object);
     function = Handle<JSFunction>::cast(result);
     function->shared()->set_name_should_print_as_anonymous(true);
   }
 
   // If new.target is equal to target then the function created
   // is already correctly setup and nothing else should be done
   // here. But if new.target is not equal to target then we are
   // have a Function builtin subclassing case and therefore the
   // function has wrong initial map. To fix that we create a new
   // function object with correct initial map.
   Handle<Object> unchecked_new_target = args.new_target();
   if (!unchecked_new_target->IsUndefined() &&
       !unchecked_new_target.is_identical_to(target)) {
     Handle<JSReceiver> new_target =
         Handle<JSReceiver>::cast(unchecked_new_target);
     Handle<Map> initial_map;
     ASSIGN_RETURN_ON_EXCEPTION(
         isolate, initial_map,
-        JSFunction::GetDerivedMap(isolate, target, new_target), JSFunction);
+        JSFunction::GetDerivedMap(isolate, target, new_target), Object);
 
     Handle<SharedFunctionInfo> shared_info(function->shared(), isolate);
     Handle<Map> map = Map::AsLanguageMode(
         initial_map, shared_info->language_mode(), shared_info->kind());
 
     Handle<Context> context(function->context(), isolate);
     function = isolate->factory()->NewFunctionFromSharedFunctionInfo(
         map, shared_info, context, NOT_TENURED);
   }
   return function;
 }
 
 }  // namespace
 
 
 // ES6 section 19.2.1.1 Function ( p1, p2, ... , pn, body )
 BUILTIN(FunctionConstructor) {
   HandleScope scope(isolate);
-  Handle<JSFunction> result;
+  Handle<Object> result;
   ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
       isolate, result, CreateDynamicFunction(isolate, args, "function"));
   return *result;
 }
 
 
 // ES6 section 19.2.3.2 Function.prototype.bind ( thisArg, ...args )
 BUILTIN(FunctionPrototypeBind) {
   HandleScope scope(isolate);
   DCHECK_LE(1, args.length());
@@ skipping 1561 matching lines @@
 BUILTIN_LIST_T(DEFINE_BUILTIN_ACCESSOR_T)
 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H)
 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A)
 #undef DEFINE_BUILTIN_ACCESSOR_C
 #undef DEFINE_BUILTIN_ACCESSOR_A
 #undef DEFINE_BUILTIN_ACCESSOR_T
 #undef DEFINE_BUILTIN_ACCESSOR_H
 
 }  // namespace internal
 }  // namespace v8