[27] PerformanceEventTiming UA-shadow-DOM leak

Severity: Low | Component: WebCore Performance API | 91afa18

PerformanceEventTiming.target에서 UA shadow DOM encapsulation leak를 수정한 diff로, Low로 평가되었습니다. author listener가 등록되지 않은 경우, entry가 <input>의 shadow tree 내부 노드를 retargeting 없이 저장하여 스크립트가 내부 구현 노드의 참조를 얻는 것이 가능했습니다. information disclosure에 해당하며, memory primitive는 없습니다.

Source/WebCore/page/LocalDOMWindow.cpp

-    entry.target = event.target();
+    if (RefPtr targetNode = dynamicDowncast<Node>(event.target()))
+        entry.target = targetNode->document().retargetToScope(*targetNode).get();
+    else
+        entry.target = event.target();

Performance API entry에 node reference를 기록하는 시점에 사양이 요구하는 shadow DOM retargeting 단계가 누락된 패턴.

a Aaa Aaaaaaa Aaa Aaa Aaa Aaaaa Aaaaaaaaa Aa Aaaa Aaa Aa Aaaa Aaa Aaa Aaaa Aaaa Aaaaa Aaaaaaaaa Aa Aaaaa Aaaaa Aaaaaa Aaa Aaa Aa a Aa Aaaa Aaaaaa Aa Aa Aaaa Aa Aaa Aaaa Aaa Aaa Aaaa Aaaaaa

Aa Aaa Aaa Aaaaa Aa Aaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aa Aaaaaaaaaaaaaaaaaaaa Aaa Aa Aaaaa Aaaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaa Aaaaaa Aaaaaaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aa Aaaaaa Aaaaa Aaaaaa

Aaaaa Aaaaaaaa Aaaa Aaaaaaaa Aa Aaa Aaa Aaaaaaaaaa Aaa Aa Aa Aaaaaa Aaa Aaaaaaaaaaaaa Aaa Aaaaaa a Aaaaaaaaaaaaaa Aa Aaa Aaaaaaa

🔒

How a Performance API entry can quietly bypass the DOM's normal shadow-boundary sanitization, and what an attacker gains when it does.

더 확인하려면 구독해 주세요

Audit directions

a Aaaa Aaaaa Aaaaaaaa Aaa Aaa Aaaa Aaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aa Aaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa
a Aaaaaaaa Aaaaaaaaa Aa Aa Aaaa Aaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aaaaa Aa Aaaa Aaa Aaaa Aaaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaa Aa Aa Aaaaa Aaaaaaaaaaa Aaaaa Aaa a Aa Aa Aaaa Aaaa Aaaa Aaa Aaaaaa

🔒

Multiple reusable audit patterns for finding other Performance/observer entry points that capture node references without applying the spec's retargeting step.

더 확인하려면 구독해 주세요