From b2cd254c35b6b1b128beea0eacdb8e814d91e003 Mon Sep 17 00:00:00 2001
From: Kenta Moriuchi <moriken@kimamass.com>
Date: Thu, 4 Jan 2024 13:12:38 +0900
Subject: fix: strict type check for cross realms (#21669)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Deno v1.39 introduces `vm.runInNewContext`. This may cause problems when
using `Object.prototype.isPrototypeOf` to check built-in types.

```js
import vm from "node:vm";

const err = new Error();
const crossErr = vm.runInNewContext(`new Error()`);

console.assert( !(crossErr instanceof Error) );
console.assert( Object.getPrototypeOf(err) !== Object.getPrototypeOf(crossErr) );
```

This PR changes to check using internal slots solves them.

---

current:

```
> import vm from "node:vm";
undefined
> vm.runInNewContext(`new Error("message")`)
Error {}
> vm.runInNewContext(`new Date("2018-12-10T02:26:59.002Z")`)
Date {}
```

this PR:

```
> import vm from "node:vm";
undefined
> vm.runInNewContext(`new Error("message")`)
Error: message
    at <anonymous>:1:1
> vm.runInNewContext(`new Date("2018-12-10T02:26:59.002Z")`)
2018-12-10T02:26:59.002Z
```

---------

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
---
 ext/http/00_serve.js | 4 ++--
 ext/http/01_http.js  | 8 +++++---
 2 files changed, 7 insertions(+), 5 deletions(-)

(limited to 'ext/http')

diff --git a/ext/http/00_serve.js b/ext/http/00_serve.js
index 26632c2ba..131f056a7 100644
--- a/ext/http/00_serve.js
+++ b/ext/http/00_serve.js
@@ -44,8 +44,8 @@ const {
   PromisePrototypeThen,
   Symbol,
   TypeError,
+  TypedArrayPrototypeGetSymbolToStringTag,
   Uint8Array,
-  Uint8ArrayPrototype,
 } = primordials;
 
 const {
@@ -397,7 +397,7 @@ function fastSyncResponseOrStream(req, respBody, status, innerRequest) {
   const stream = respBody.streamOrStatic;
   const body = stream.body;
 
-  if (ObjectPrototypeIsPrototypeOf(Uint8ArrayPrototype, body)) {
+  if (TypedArrayPrototypeGetSymbolToStringTag(body) === "Uint8Array") {
     innerRequest?.close();
     op_http_set_response_body_bytes(req, body, status);
     return;
diff --git a/ext/http/01_http.js b/ext/http/01_http.js
index c873889b7..64951ee0f 100644
--- a/ext/http/01_http.js
+++ b/ext/http/01_http.js
@@ -60,8 +60,8 @@ const {
   Symbol,
   SymbolAsyncIterator,
   TypeError,
+  TypedArrayPrototypeGetSymbolToStringTag,
   Uint8Array,
-  Uint8ArrayPrototype,
 } = primordials;
 const {
   op_http_accept,
@@ -272,7 +272,7 @@ function createRespondWith(
       }
       const isStreamingResponseBody = !(
         typeof respBody === "string" ||
-        ObjectPrototypeIsPrototypeOf(Uint8ArrayPrototype, respBody)
+        TypedArrayPrototypeGetSymbolToStringTag(respBody) === "Uint8Array"
       );
       try {
         await op_http_write_headers(
@@ -339,7 +339,9 @@ function createRespondWith(
           while (true) {
             const { value, done } = await reader.read();
             if (done) break;
-            if (!ObjectPrototypeIsPrototypeOf(Uint8ArrayPrototype, value)) {
+            if (
+              TypedArrayPrototypeGetSymbolToStringTag(value) !== "Uint8Array"
+            ) {
               await reader.cancel(new TypeError("Value not a Uint8Array"));
               break;
             }
-- 
cgit v1.2.3