endojs · leotm · Feb 27, 2025 · leotm · Feb 27, 2025 · naugtur
diff --git a/packages/ses/docs/lockdown.md b/packages/ses/docs/lockdown.md
@@ -30,6 +30,7 @@ Each option is explained in its own section below.
 | `reporting`                      | `'platform'`     | `'console'` `'none'`                   | where to report warnings ([details](#reporting-options))
 | `unhandledRejectionTrapping`     | `'report'`       | `'none'`                               | handling of finalized unhandled rejections ([details](#unhandledrejectiontrapping-options)) |
 | `evalTaming`                     | `'safeEval'`     | `'unsafeEval'` `'noEval'`              | `eval` and `Function` of the start compartment ([details](#evaltaming-options)) |
+| `hostEvaluators`                 | `'all'`          | `'none'` `'no-direct'`                 | handling of sloppy and indirect eval ([details](#hostevaluators-options)) |
 | `stackFiltering`                 | `'concise'`      | `'verbose'`                            | deep stacks signal/noise   ([details](#stackfiltering-options)) |
 | `overrideTaming`                 | `'moderate'`     | `'min'` or `'severe'`                  | override mistake antidote  ([details](#overridetaming-options)) |
 | `overrideDebug`                  | `[]`             | array of property names                | detect override mistake    ([details](#overridedebug-options)) |
@@ -51,6 +52,7 @@ for threading environment variables into a JavaScript program.
 | `reporting`                      | `LOCKDOWN_REPORTING`                         |                       |
 | `unhandledRejectionTrapping`     | `LOCKDOWN_UNHANDLED_REJECTION_TRAPPING`      |                       |
 | `evalTaming`                     | `LOCKDOWN_EVAL_TAMING`                       |                       |
+| `hostEvaluators`                 | `LOCKDOWN_HOST_EVALUATORS`                   |                       |
 | `stackFiltering`                 | `LOCKDOWN_STACK_FILTERING`                   |                       |
 | `overrideTaming`                 | `LOCKDOWN_OVERRIDE_TAMING`                   |                       |
 | `overrideDebug`                  | `LOCKDOWN_OVERRIDE_DEBUG`                    | comma separated names |
@@ -617,6 +619,10 @@ LOCKDOWN_EVAL_TAMING=noEval
 LOCKDOWN_EVAL_TAMING=unsafeEval
 ```
 
+## `hostEvaluators` Options
+
+TODO: Introduced for Hermes.
+
 ## `stackFiltering` Options
 
 **Background**: The error stacks shown by many JavaScript engines are

diff --git a/packages/ses/error-codes/SES_DIRECT_EVAL.md b/packages/ses/error-codes/SES_DIRECT_EVAL.md
@@ -3,7 +3,19 @@
 The SES Hardened JavaScript shim captures the `eval` function when it is
 initialized.
 The `eval` function it finds must be the original `eval` because SES uses its
-dynamic scope to implement its isolated eval. 
+dynamic scope to implement its isolated eval.
 
 If you see this error, something running before `ses` initialized, most likely
 another instance of `ses`, has replaced `eval` with something else.
+
+If you're running under an environment that doesn't support direct eval (Hermes), try setting `hostEvaluators` to `no-direct`.
+
+If you're running under CSP, try setting `hostEvaluators` to `none`.
+
+# _hostEvaluators_ was set to _none_, but evaluators are not blocked (`SES_DIRECT_EVAL`)
+
+It seems your CSP allows execution of `eval()`, try setting `hostEvaluators` to `all` or `no-direct`.
+
+# `"hostEvaluators" was set to "no-direct", but direct eval is functional
+
+If evaluators are working, if seems you've upgraded host to a version that now supports them (future Hermes).
diff --git a/packages/ses/src/global-object.js b/packages/ses/src/global-object.js
@@ -19,7 +19,7 @@ import { constantProperties, universalPropertyNames } from './permits.js';
  * guest programs, we cannot emulate the proper behavior.
  * With this shim, assigning Symbol.unscopables causes the given lexical
  * names to fall through to the terminal scope proxy.
- * But, we can install this setter to prevent a program from proceding on
+ * But, we can install this setter to prevent a program from proceeding on
  * this false assumption.
  *
  * @param {object} globalObject

diff --git a/packages/ses/src/lockdown.js b/packages/ses/src/lockdown.js
@@ -100,10 +100,13 @@ const safeHarden = makeHardener();
 // only ever need to be called once and that simplifying lockdown will improve
 // the quality of audits.
 
-const assertDirectEvalAvailable = () => {
-  let allowed = false;
+const assertDirectEval = () => {
+  let directEvalAllowed = false;
+  let functionAllowed = false;
+  let evalAllowed = true;
   try {
-    allowed = FERAL_FUNCTION(
+    functionAllowed = FERAL_FUNCTION('return true')();
+    directEvalAllowed = FERAL_FUNCTION(
       'eval',
       'SES_changed',
       `\
@@ -115,21 +118,17 @@ const assertDirectEvalAvailable = () => {
     // and indirect, which generally creates a new global.
     // We are going to throw an exception for failing to initialize SES, but
     // good neighbors clean up.
-    if (!allowed) {
+    if (!directEvalAllowed) {
       delete globalThis.SES_changed;
     }
   } catch (_error) {
     // We reach here if eval is outright forbidden by a Content Security Policy.
     // We allow this for SES usage that delegates the responsibility to isolate
     // guest code to production code generation.
-    allowed = true;
-  }
-  if (!allowed) {
-    // See https://github.com/endojs/endo/blob/master/packages/ses/error-codes/SES_DIRECT_EVAL.md
-    throw TypeError(
-      `SES cannot initialize unless 'eval' is the original intrinsic 'eval', suitable for direct-eval (dynamically scoped eval) (SES_DIRECT_EVAL)`,
-    );
+    evalAllowed = false;
   }
+
+  return { directEvalAllowed, functionAllowed, evalAllowed };
 };
 
 /**
@@ -152,11 +151,11 @@ export const repairIntrinsics = (options = {}) => {
   // The `stackFiltering` is not a safety issue. Rather it is a tradeoff
   // between relevance and completeness of the stack frames shown on the
   // console. Setting`stackFiltering` to `'verbose'` applies no filters, providing
-  // the raw stack frames that can be quite versbose. Setting
+  // the raw stack frames that can be quite verbose. Setting
   // `stackFrameFiltering` to`'concise'` limits the display to the stack frame
   // information most likely to be relevant, eliminating distracting frames
   // such as those from the infrastructure. However, the bug you're trying to
-  // track down might be in the infrastrure, in which case the `'verbose'` setting
+  // track down might be in the infrastructure, in which case the `'verbose'` setting
   // is useful. See
   // [`stackFiltering` options](https://github.com/Agoric/SES-shim/blob/master/packages/ses/docs/lockdown.md#stackfiltering-options)
   // for an explanation.
@@ -189,6 +188,10 @@ export const repairIntrinsics = (options = {}) => {
       /** @param {string} debugName */
       debugName => debugName !== '',
     ),
+    hostEvaluators = /** @type { 'all' | 'none' | 'no-direct'  } */ (
+      // TODO: Breaking change, ensure backwards compatibility under CSP.
+      getenv('LOCKDOWN_HOST_EVALUATORS', 'all')
+    ),
     legacyRegeneratorRuntimeTaming = getenv(
       'LOCKDOWN_LEGACY_REGENERATOR_RUNTIME_TAMING',
       'safe',
@@ -208,6 +211,15 @@ export const repairIntrinsics = (options = {}) => {
     evalTaming === 'noEval' ||
     Fail`lockdown(): non supported option evalTaming: ${q(evalTaming)}`;
 
+  hostEvaluators === 'all' ||
+    hostEvaluators === 'none' ||
+    hostEvaluators === 'no-direct' ||
+    Fail`lockdown(): non supported option hostEvaluators: ${q(hostEvaluators)}`;
+
+  evalTaming === 'safeEval' &&
+    hostEvaluators === 'no-direct' &&
+    Fail`lockdown(): option evalTaming: ${q(evalTaming)} is incompatible with hostEvaluators: ${q(hostEvaluators)}`;
+
   // Assert that only supported options were passed.
   // Use Reflect.ownKeys to reject symbol-named properties as well.
   const extraOptionsNames = ownKeys(extraOptions);
@@ -218,13 +230,11 @@ export const repairIntrinsics = (options = {}) => {
   const { warn } = reporter;
 
   if (dateTaming !== undefined) {
-    // eslint-disable-next-line no-console
     warn(
       `SES The 'dateTaming' option is deprecated and does nothing. In the future specifying it will be an error.`,
     );
   }
   if (mathTaming !== undefined) {
-    // eslint-disable-next-line no-console
     warn(
       `SES The 'mathTaming' option is deprecated and does nothing. In the future specifying it will be an error.`,
     );
@@ -242,7 +252,32 @@ export const repairIntrinsics = (options = {}) => {
   // trace retained:
   priorRepairIntrinsics.stack;
 
-  assertDirectEvalAvailable();
+  const { directEvalAllowed, functionAllowed, evalAllowed } =
+    assertDirectEval();
+
+  // A Content Security Policy containing either a default-src or a script-src directive.
+  const csp = !evalAllowed && !functionAllowed;
+
+  // Assert a regular environment where eval() and the Function() constructor are allowed to execute and direct eval() is not sloppy.
+  if (hostEvaluators === 'all' && !directEvalAllowed && !csp) {
+    // See https://github.com/endojs/endo/blob/master/packages/ses/error-codes/SES_DIRECT_EVAL.md
+    throw TypeError(
+      "SES cannot initialize unless 'eval' is the original intrinsic 'eval', suitable for direct-eval (dynamically scoped eval) (SES_DIRECT_EVAL)",
+    );
+  }
+
+  // Assert we in an environment with a CSP that does not allow APIs to execute.
+  hostEvaluators === 'none' &&
+    assert(
+      !directEvalAllowed && csp,
+      "hostEvaluators' was set to 'none', but the CSP is allowing APIs to execute (SES_DIRECT_EVAL)",
+    );
+
+  hostEvaluators === 'no-direct' &&
+    assert(
+      !directEvalAllowed && !csp,
+      `"hostEvaluators" was set to "no-direct", but ${directEvalAllowed === true ? 'direct eval is functional' : 'evaluators are not allowed to execute'} (SES_DIRECT_EVAL)`,
+    );
 
   /**
    * Because of packagers and bundlers, etc, multiple invocations of lockdown
@@ -408,6 +443,13 @@ export const repairIntrinsics = (options = {}) => {
     markVirtualizedNativeFunction,
   });
 
+  // TODO: disable compartmentInstance.evaluate instead?
+  if (hostEvaluators === 'no-direct') {
+    globalThis.testCompartmentHooks = undefined;
+    // @ts-ignore Compartment does exist on globalThis
+    delete globalThis.Compartment;
 // Creating a compartment should be possible in no-eval environments 
 // It also allows more global constants to be captured by the optimizer 
 // Creating a compartment should be possible in no-eval environments 
 // It also allows more global constants to be captured by the optimizer 
+  }
+
   if (evalTaming === 'noEval') {
     setGlobalObjectEvaluators(
       globalThis,

diff --git a/packages/ses/src/make-eval-function.js b/packages/ses/src/make-eval-function.js
@@ -1,11 +1,13 @@
 /**
  * makeEvalFunction()
  * A safe version of the native eval function which relies on
- * the safety of safeEvaluate for confinement.
+ * the safety of safeEvaluate for confinement, unless noEval
+ * is specified (then a TypeError is thrown).
  *
- * @param {Function} safeEvaluate
+ * @param {Function} evaluator
+ * @param legacyHermesTaming
  */
-export const makeEvalFunction = safeEvaluate => {
+export const makeEvalFunction = evaluator => {
   // We use the concise method syntax to create an eval without a
   // [[Construct]] behavior (such that the invocation "new eval()" throws
   // TypeError: eval is not a constructor"), but which still accepts a
@@ -19,7 +21,7 @@
         // rule. Track.
         return source;
       }
-      return safeEvaluate(source);
+      return evaluator(source);
     },
   }.eval;
 

diff --git a/packages/ses/src/make-function-constructor.js b/packages/ses/src/make-function-constructor.js
@@ -12,9 +12,10 @@ const { Fail } = assert;
 /*
  * makeFunctionConstructor()
  * A safe version of the native Function which relies on
- * the safety of safeEvaluate for confinement.
+ * the safety of safeEvaluate for confinement, unless noEval
+ * is specified (then a TypeError is thrown).
  */
-export const makeFunctionConstructor = safeEvaluate => {
+export const makeFunctionConstructor = evaluator => {
   // Define an unused parameter to ensure Function.length === 1
   const newFunction = function Function(_body) {
     // Sanitize all parameters at the entry point.
@@ -54,7 +55,7 @@ export const makeFunctionConstructor = safeEvaluate => {
     // TODO: since we create an anonymous function, the 'this' value
     // isn't bound to the global object as per specs, but set as undefined.
     const src = `(function anonymous(${parameters}\n) {\n${bodyText}\n})`;
-    return safeEvaluate(src);
+    return evaluator(src);
   };
 
   defineProperties(newFunction, {

diff --git a/packages/ses/types.d.ts b/packages/ses/types.d.ts
@@ -40,6 +40,7 @@ export interface RepairOptions {
   overrideTaming?: 'moderate' | 'min' | 'severe';
   overrideDebug?: Array<string>;
   domainTaming?: 'safe' | 'unsafe';
+  hostEvaluators?: 'all' | 'none' | 'unsafe';
   /**
    * safe (default): do nothing.
    *