In NeilFraser/JS-Interpreter#207, @NeilFraser notes that many of the Array.prototype methods have potential long-running or infinite loops—e.g., Array.prototype.lastIndexOf.call({0: true, length: 'Infinity'}, true); takes forever to complete.
CodeCity's interpreter.js uses different implementations of most of these methods, but is vulnerable to the same issue.
The interpreter should be checked carefully for loops; every loop could potentially hang the interpreter of a malicious user found a way to cause it to run a large number of times. Every loop that is subject to user control over the number of iterations should be modified to check for thread timeouts. This includes almost all of the Array.prototype methods as well as things like Function.prototype.apply and even Interpreter.prototype.pseudoToNative. (Loops in places like Object.prototype.isPrototypeOf and Interpreter.PropertyIterator.prototype.next are probably OK, because in those case the number of iterations are bounded by the number of allocated objects in the database or the number of keys in an object.)
In NeilFraser/JS-Interpreter#207, @NeilFraser notes that many of the
Array.prototypemethods have potential long-running or infinite loops—e.g.,Array.prototype.lastIndexOf.call({0: true, length: 'Infinity'}, true);takes forever to complete.CodeCity's
interpreter.jsuses different implementations of most of these methods, but is vulnerable to the same issue.The interpreter should be checked carefully for loops; every loop could potentially hang the interpreter of a malicious user found a way to cause it to run a large number of times. Every loop that is subject to user control over the number of iterations should be modified to check for thread timeouts. This includes almost all of the
Array.prototypemethods as well as things likeFunction.prototype.applyand evenInterpreter.prototype.pseudoToNative. (Loops in places likeObject.prototype.isPrototypeOfandInterpreter.PropertyIterator.prototype.nextare probably OK, because in those case the number of iterations are bounded by the number of allocated objects in the database or the number of keys in an object.)