crypto: harden WebCrypto against prototype pollution

Avoid re-wrapping native WebCrypto promises with PromiseResolve(),
since resolving a promise can read its user-mutated constructor.

Add a helper for chaining internal WebCrypto job promises without
consulting Promise species state, and use it for intermediate job
results.

Also align JWK wrapping and unwrapping with the spec's fresh-global
JSON handling by detaching internal JWK values from user prototypes.
Use the internal UTF-8 encoder/decoder bindings instead of shared
TextEncoder/TextDecoder prototype methods.

Expand the WebCrypto prototype pollution regression test to cover
SubtleCrypto methods, export formats, zero-length KDF results, JWK
toJSON/kty pollution, and encoder/decoder prototype poisoning.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Author: panva

lib/internal/crypto/diffiehellman.js

@@ -5,7 +5,6 @@ const {
   FunctionPrototypeCall,
   MathCeil,
   ObjectDefineProperty,
-  PromisePrototypeThen,
   TypedArrayPrototypeGetBuffer,
   Uint8Array,
 } = primordials;
@@ -59,6 +58,7 @@ const {
 const {
   getArrayBufferOrView,
   jobPromise,
+  jobPromiseThen,
   toBuf,
   kHandle,
 } = require('internal/crypto/util');
@@ -368,7 +368,7 @@ function ecdhDeriveBits(algorithm, baseKey, length) {
   if (length === null)
     return bits;
 
-  return PromisePrototypeThen(bits, (bits) => {
+  return jobPromiseThen(bits, (bits) => {
     // If the length is not a multiple of 8 the nearest ceiled
     // multiple of 8 is sliced.
     const sliceLength = MathCeil(length / 8);

lib/internal/crypto/util.js

@@ -14,7 +14,9 @@ const {
   ObjectEntries,
   ObjectKeys,
   ObjectPrototypeHasOwnProperty,
+  PromisePrototypeThen,
   PromiseReject,
+  PromiseWithResolvers,
   SafeMap,
   SafeSet,
   StringPrototypeToUpperCase,
@@ -90,6 +92,7 @@ const {
   isDataView,
   isArrayBufferView,
   isAnyArrayBuffer,
+  isPromise,
 } = require('internal/util/types');
 
 const kHandle = Symbol('kHandle');
@@ -677,6 +680,77 @@ function jobPromise(getJob) {
   }
 }
 
+// Temporarily shadow inherited then accessors on WebCrypto result objects.
+// Promise resolution reads "then" synchronously for thenable assimilation.
+// Returning an own undefined data property keeps that lookup from reaching
+// user-mutated prototypes.
+function prepareWebCryptoResult(value) {
+  if ((value === null || typeof value !== 'object') &&
+      typeof value !== 'function') {
+    return false;
+  }
+  if (isPromise(value) || ObjectPrototypeHasOwnProperty(value, 'then'))
+    return false;
+  ObjectDefineProperty(value, 'then', {
+    __proto__: null,
+    configurable: true,
+    value: undefined,
+  });
+  return true;
+}
+
+// Remove the temporary then property installed by prepareWebCryptoResult().
+function cleanupWebCryptoResult(value) {
+  delete value.then;
+}
+
+// Resolve a WebCrypto promise while inherited then accessors are shadowed.
+function resolveWebCryptoResult(resolve, value) {
+  const shouldCleanupResult = prepareWebCryptoResult(value);
+  try {
+    resolve(value);
+  } finally {
+    if (shouldCleanupResult)
+      cleanupWebCryptoResult(value);
+  }
+}
+
+// Run a WebCrypto promise reaction and settle the outer promise.
+function settleJobPromise(handler, resolve, reject, value, isRejected) {
+  try {
+    if (typeof handler === 'function') {
+      resolveWebCryptoResult(resolve, handler(value));
+    } else if (isRejected) {
+      reject(value);
+    } else {
+      resolveWebCryptoResult(resolve, value);
+    }
+  } catch (err) {
+    reject(err);
+  }
+}
+
+// Promise.prototype.then gets promise.constructor to determine the result
+// promise's species. These promises are internal WebCrypto intermediates, so
+// make that lookup stay on the promise itself instead of user-mutated state.
+function jobPromiseThen(promise, onFulfilled, onRejected) {
+  const {
+    promise: resultPromise,
+    resolve,
+    reject,
+  } = PromiseWithResolvers();
+  ObjectDefineProperty(promise, 'constructor', {
+    __proto__: null,
+    configurable: true,
+    value: undefined,
+  });
+  PromisePrototypeThen(
+    promise,
+    (value) => settleJobPromise(onFulfilled, resolve, reject, value, false),
+    (value) => settleJobPromise(onRejected, resolve, reject, value, true));
+  return resultPromise;
+}
+
 // In WebCrypto, the publicExponent option in RSA is represented as a
 // WebIDL "BigInteger"... that is, a Uint8Array that allows an arbitrary
 // number of leading zero bits. Our conventional APIs for reading
@@ -899,6 +973,9 @@ module.exports = {
   validateByteSource,
   validateKeyOps,
   jobPromise,
+  jobPromiseThen,
+  cleanupWebCryptoResult,
+  prepareWebCryptoResult,
   validateMaxBufferLength,
   bigIntArrayToUnsignedBigInt,
   bigIntArrayToUnsignedInt,