fix(ses)!: align with XS property censorship agreement

Author: erights

packages/ses/src/permits.js

@@ -326,7 +326,7 @@ function TypedArrayPrototype(constructor) {
 }
 
 // Without Math.random
-const SharedMath = {
+const CommonMath = {
   E: 'number',
   LN10: 'number',
   LN2: 'number',
@@ -649,12 +649,16 @@ export const permitted = {
   },
 
   '%InitialMath%': {
-    ...SharedMath,
-    // random is standard but omitted from SharedMath
+    ...CommonMath,
+    // `%InitialMath%.random()` has the standard unsafe behavior
     random: fn,
   },
 
-  '%SharedMath%': SharedMath,
+  '%SharedMath%': {
+    ...CommonMath,
+    // `%SharedMath%.random()` is tamed to always throw
+    random: fn,
+  },
 
   '%InitialDate%': {
     // Properties of the Date Constructor
@@ -668,6 +672,7 @@ export const permitted = {
   '%SharedDate%': {
     // Properties of the Date Constructor
     '[[Proto]]': '%FunctionPrototype%',
+    // `%SharedDate%.now()` is tamed to always throw
     now: fn,
     parse: fn,
     prototype: '%DatePrototype%',

packages/ses/src/tame-date-constructor.js

@@ -17,26 +17,38 @@ export default function tameDateConstructor(dateTaming = 'safe') {
 
   // Use concise methods to obtain named functions without constructors.
   const tamedMethods = {
+    /**
+     * `%SharedDate%.now()` throw a `TypeError` starting with "secure mode".
+     * See https://github.com/endojs/endo/issues/910#issuecomment-1581855420
+     */
     now() {
-      return NaN;
+      throw TypeError('secure mode Calling %SharedDate%.now() throws');
     },
   };
 
-  // Tame the Date constructor.
-  // Common behavior
-  //   * new Date(x) coerces x into a number and then returns a Date
-  //     for that number of millis since the epoch
-  //   * new Date(NaN) returns a Date object which stringifies to
-  //     'Invalid Date'
-  //   * new Date(undefined) returns a Date object which stringifies to
-  //     'Invalid Date'
-  // OriginalDate (normal standard) behavior
-  //   * Date(anything) gives a string with the current time
-  //   * new Date() returns the current time, as a Date object
-  // SharedDate behavior
-  //   * Date(anything) returned 'Invalid Date'
-  //   * new Date() returns a Date object which stringifies to
-  //     'Invalid Date'
+  /**
+   * Tame the Date constructor.
+   * See https://github.com/endojs/endo/issues/910#issuecomment-1581855420
+   *
+   * Common behavior
+   *   * `new Date(x)` coerces x into a number and then returns a Date
+   *     for that number of millis since the epoch
+   *   * `new Date(NaN)` returns a Date object which stringifies to
+   *     'Invalid Date'
+   *   * `new Date(undefined)` returns a Date object which stringifies to
+   *     'Invalid Date'
+   *
+   * OriginalDate (normal standard) behavior preserved by
+   * `%InitialDate%`.
+   *   * `Date(anything)` gives a string with the current time
+   *   * `new Date()` returns the current time, as a Date object
+   *
+   * `%SharedDate%` behavior
+   *   * `Date(anything)` throws a TypeError starting with "secure mode"
+   *   * `new Date()` throws a TypeError starting with "secure mode"
+   *
+   * @param {{powers?: string}} [opts]
+   */
   const makeDateConstructor = ({ powers = 'none' } = {}) => {
     let ResultDate;
     if (powers === 'original') {
@@ -51,10 +63,14 @@ export default function tameDateConstructor(dateTaming = 'safe') {
       // eslint-disable-next-line no-shadow
       ResultDate = function Date(...rest) {
         if (new.target === undefined) {
-          return 'Invalid Date';
+          throw TypeError(
+            'secure mode Calling %SharedDate% constructor as a function throws',
+          );
         }
         if (rest.length === 0) {
-          rest = [NaN];
+          throw TypeError(
+            'secure mode Calling new %SharedDate%() with no arguments throws',
+          );
         }
         return construct(OriginalDate, rest, new.target);
       };
@@ -69,13 +85,13 @@ export default function tameDateConstructor(dateTaming = 'safe') {
         configurable: false,
       },
       parse: {
-        value: Date.parse,
+        value: OriginalDate.parse,
         writable: true,
         enumerable: false,
         configurable: true,
       },
       UTC: {
-        value: Date.UTC,
+        value: OriginalDate.UTC,
         writable: true,
         enumerable: false,
         configurable: true,
@@ -88,7 +104,7 @@ export default function tameDateConstructor(dateTaming = 'safe') {
 
   defineProperties(InitialDate, {
     now: {
-      value: Date.now,
+      value: OriginalDate.now,
       writable: true,
       enumerable: false,
       configurable: true,

packages/ses/src/tame-math-object.js

@@ -16,7 +16,26 @@ export default function tameMathObject(mathTaming = 'safe') {
   const { random: _, ...otherDescriptors } =
     getOwnPropertyDescriptors(originalMath);
 
-  const sharedMath = create(objectPrototype, otherDescriptors);
+  // Use concise methods to obtain named functions without constructors.
+  const tamedMethods = {
+    /**
+     * `%SharedMath%.random()` throws a TypeError starting with "secure mode".
+     * See https://github.com/endojs/endo/issues/910#issuecomment-1581855420
+     */
+    random() {
+      throw TypeError('secure mode %SharedMath%.random() throws');
+    },
+  };
+
+  const sharedMath = create(objectPrototype, {
+    ...otherDescriptors,
+    random: {
+      value: tamedMethods.random,
+      writable: true,
+      enumerable: false,
+      configurable: true,
+    },
+  });
 
   return {
     '%InitialMath%': initialMath,

packages/ses/test/test-tame-date-unit.js

@@ -10,30 +10,34 @@ test('tameDateConstructor - initial constructor without argument', t => {
   const date = new InitialDate();
 
   t.truthy(date instanceof InitialDate);
+  t.truthy(date instanceof SharedDate);
   // eslint-disable-next-line no-proto
   t.is(date.__proto__.constructor, SharedDate);
+  t.is(date.constructor, SharedDate);
 
   t.not(date.toString(), 'Invalid Date');
 });
 
 test('tameDateConstructor - shared constructor without argument', t => {
   t.is(SharedDate.name, 'Date');
 
-  const date = new SharedDate();
+  t.throws(() => new SharedDate(), {
+    message: /^secure mode/,
+  });
+});
 
-  t.truthy(date instanceof SharedDate);
-  // eslint-disable-next-line no-proto
-  t.is(date.__proto__.constructor, SharedDate);
+test('tameDateConstructor - initial constructor called as function', t => {
+  const date = InitialDate(undefined);
 
-  t.is(date.toString(), 'Invalid Date');
+  t.not(date.toString(), 'Invalid Date');
 });
 
-test('tameDateConstructor - shared constructor now', t => {
-  t.is(SharedDate.now.name, 'now');
-
-  const date = SharedDate.now();
+test('tameDateConstructor - shared constructor called as function', t => {
+  t.is(SharedDate.name, 'Date');
 
-  t.truthy(Number.isNaN(date));
+  t.throws(() => SharedDate(undefined), {
+    message: /^secure mode/,
+  });
 });
 
 test('tameDateConstructor - initial constructor now', t => {
@@ -43,3 +47,11 @@ test('tameDateConstructor - initial constructor now', t => {
 
   t.truthy(Number(date) > 1);
 });
+
+test('tameDateConstructor - shared constructor now', t => {
+  t.is(SharedDate.now.name, 'now');
+
+  t.throws(() => SharedDate.now(), {
+    message: /^secure mode/,
+  });
+});

packages/ses/test/test-tame-date.js

@@ -18,27 +18,37 @@ test('lockdown start Date is powerful', t => {
 test('lockdown Date.prototype.constructor is powerless', t => {
   const SharedDate = Date.prototype.constructor;
   t.not(Date, SharedDate);
-  t.truthy(Number.isNaN(SharedDate.now()));
-  t.is(`${new SharedDate()}`, 'Invalid Date');
+
+  t.throws(() => SharedDate.now(), {
+    message: /^secure mode/,
+  });
+
+  t.throws(() => new SharedDate(), {
+    message: /^secure mode/,
+  });
 });
 
 test('lockdown Date in Compartment is powerless', t => {
   const c = new Compartment();
   t.is(c.evaluate('Date.parse("1982-04-09")'), Date.parse('1982-04-09'));
 
-  const now = c.evaluate('Date.now()');
-  t.truthy(Number.isNaN(now));
+  t.throws(() => c.evaluate('Date.now()'), {
+    message: /^secure mode/,
+  });
 
-  const newDate = c.evaluate('new Date()');
-  t.is(`${newDate}`, 'Invalid Date');
+  t.throws(() => c.evaluate('new Date()'), {
+    message: /^secure mode/,
+  });
 });
 
 test('lockdown Date in nested Compartment is powerless', t => {
   const c = new Compartment().evaluate('new Compartment()');
 
-  const now = c.evaluate('Date.now()');
-  t.truthy(Number.isNaN(now));
+  t.throws(() => c.evaluate('Date.now()'), {
+    message: /^secure mode/,
+  });
 
-  const newDate = c.evaluate('new Date()');
-  t.is(`${newDate}`, 'Invalid Date');
+  t.throws(() => c.evaluate('new Date()'), {
+    message: /^secure mode/,
+  });
 });

packages/ses/test/test-tame-math-unit.js

@@ -11,5 +11,7 @@ test('tameMathObject - initial properties', t => {
 });
 
 test('tameMathObject - shared properties', t => {
-  t.is(typeof sharedMath.random, 'undefined');
+  t.throws(() => sharedMath.random(), {
+    message: /^secure mode/,
+  });
 });

packages/ses/test/test-tame-math.js

@@ -12,10 +12,16 @@ test('lockdown start Math is powerful', t => {
 
 test('lockdown Math from Compartment is powerless', t => {
   const c = new Compartment();
-  t.is(c.evaluate('typeof Math.random'), 'undefined');
+
+  t.throws(() => c.evaluate('Math.random()'), {
+    message: /^secure mode/,
+  });
 });
 
 test('lockdown Math from nested Compartment is powerless', t => {
   const c = new Compartment().evaluate('new Compartment()');
-  t.is(c.evaluate('typeof Math.random'), 'undefined');
+
+  t.throws(() => c.evaluate('Math.random()'), {
+    message: /^secure mode/,
+  });
 });