crypto: validate `this` in all webcrypto methods and getters (!42815) · Merge requests · Rodrigo Test / Test Group-nodejs / node · GitLab

Do not update/delete: Banner broadcast message test data

Do not update/delete: Notification broadcast message test data

Rodrigo Muino Tomonari requested to merge github/fork/panva/webcrypto-illegal-invocations into master Apr 21, 2022

This PR aligns this validation in webcrypto with other implementations.

forbids calling the constructor on Crypto and SubtleCrypto (that become accessible with --experimental-global-webcrypto).
validates getRandomValues() this to be the actual instance and not an instance of
validates this to be the actual instance for all other methods and getters

See with the following in other runtimes.

const notCrypto = Reflect.construct(function() {}, [], Crypto);
const notSubtle = Reflect.construct(function() {}, [], SubtleCrypto);

notCrypto.subtle
notCrypto.randomUUID()
notCrypto.getRandomValues()
notSubtle.digest()

Chromium: TypeError: Illegal invocation
Firefox: TypeError: '...' called on an object that does not implement interface ....
Safari: TypeError: Can only call Crypto.getRandomValues on instances of ...
Deno: TypeError: Illegal invocation
Node.js: Given correct arguments were provided, no error.