Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:28:07 JST Ryan Castellucci :nonbinary_flag:

   JavaScript has a TypedArray class, it's just hidden.

   To access it, one simply needs to do:

   const TypedArray = Object.getPrototypeOf(Uint8Array.prototype).constructor

   You can then use it with the instanceof operator.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:33:31 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     See also:

     const AsyncFunction = (async _=>_).constructor;
     const GeneratorFunction = (function *_(){}).constructor;
     const AsyncGeneratorFunction = (async function *_(){}).constructor;
     
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:36:56 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     What other standard JavaScript classes are hidden like this without a global reference?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:41:29 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     Some of these are actual working constructors, e.g. you can do:

     let g_ = new GeneratorFunction('let i = 0; while (1) yield i++;')();
     g_.next(); // yields {value: 0, done: false}
     g_.next(); // yields {value: 1, done: false}
     g_.next(); // yields {value: 2, done: false}
     
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:43:14 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     This is, of course, "sparkling eval". Content-Security-Policy probably treats it as such, otherwise I just accidentally dropped 0-day.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:46:09 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     My partner's mother bought me a club mate for Christmas, and between the caffeine rush and how much the commercials playing during the football(🏈) game that's on the TV are making me despise capitalism, I'm shitposting to cope.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:49:06 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Cyclophoratrice

     @cyclophora LOL.

     Seriously though, it's just like the regular Function constructor, except for generator functions.

     https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function

     Literally eval with extra steps.

   • Embed this notice
     Cyclophoratrice (cyclophora@mastodon.social)'s status on Thursday, 26-Dec-2024 08:49:07 JST Cyclophoratrice

     in reply to

     @ryanc wait why does it take a string

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:57:41 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • F4GRX Sébastien

     @f4grx Some might consider this knowledge unnatural but knowing it pays well enough to be worth the psychic damage.

   • Embed this notice
     F4GRX Sébastien (f4grx@chaos.social)'s status on Thursday, 26-Dec-2024 08:57:43 JST F4GRX Sébastien

     in reply to

     @ryanc programming language of the utterly deranged, look at what they are asking your respect for all this time.

   • Embed this notice
     Cyclophoratrice (cyclophora@mastodon.social)'s status on Thursday, 26-Dec-2024 09:08:57 JST Cyclophoratrice

     in reply to

     @ryanc what is the point of this why does it not take another function or something. I'm crying blood please help

   • Embed this notice
     Cyclophoratrice (cyclophora@mastodon.social)'s status on Thursday, 26-Dec-2024 09:08:57 JST Cyclophoratrice

     in reply to

     @ryanc was it added before people realized eval was a bad idea?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 09:08:57 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Cyclophoratrice

     @cyclophora The Function() constructor? That's been around for ages. Folks knew better by the time generator functions were a thing, but violence was chosen.

     There are so many ways to do eval in JavaScript, though.

   • Embed this notice
     Cyclophoratrice (cyclophora@mastodon.social)'s status on Thursday, 26-Dec-2024 09:27:42 JST Cyclophoratrice

     in reply to

     @ryanc i feel like there should be a way to turn off eval from inside JS in addition to CSP

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 09:27:42 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Cyclophoratrice

     @cyclophora Did you know that settimeout can take a string argument?

     You can add an invisible button to the dom with an onclick attribute that's a string of code and then call .click() on it.

     Create an iframe with a javascript:... URI.

     It's a bit of a lost cause.

     Also, I've written bytecode interpreters in JavaScript that can run arbitrary code and bypass CSP restrictions.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 27-Dec-2024 00:33:13 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Ge0rG

     @ge0rg Mostly sarcasm. There are more sensible ways to detect whether something is a typed array.

   • Embed this notice
     Ge0rG (ge0rg@chaos.social)'s status on Friday, 27-Dec-2024 00:33:14 JST Ge0rG

     in reply to

     @ryanc
     Not sure if sarcasm or actual Javascript usability improvement... or both?!