Function Challenge 11

[00:00:00]
>> [MUSIC]

[00:00:03]
>> Douglas Crockford: Here's the next problem. This one's going to be a little bit different in that we're going to do it altogether, okay? So we're gonna make an array wrapper object with methods get, store and append, such that an attacker cannot get access to the private array. So the idea is that we've got an array and we want to protect it behind a good API.

[00:00:27]
And we want to be able to hand it to a third party, even a malicious third party that might want to get directly to the array, which we want to prevent. So this is how we would do it, we've got our vector constructor, which will make a vector instance.

[00:00:41]
And it will have an append method, which can be used to append things onto that secret array. It will have a store method, which will allow you to store things into that array. And it will have a get method, which will allow you to retrieve things from that array, okay.

[00:00:57]
So think about how you might implement something like that. I'm going to guess based on what we've been doing, it might look something like this. So here's a function called vector. We have an array variable containing the array, that's the secret that we want to protect. And it's hidden in the function scope, so we're already off to a good start.

[00:01:19]
And we're gonna return an object containing three functions. We get function, store function, and append function. The get function will take i and return arrays of i. The store function will take i and v and store into i the v value. And append will take a value and push that value onto the array.

[00:01:43]
So the guarantee that we want to make is that we can give this to a third party. The third party can access the array indirectly using these methods, but the third party cannot get direct access to the array itself. Because we want to limit access to the array, to only the things that we can do and not to any of the other things that you could do to an array.

[00:02:07]
Now it turns out, there is a vulnerability in JavaScript which invalidates that guarantee. That it is possible for a determined hacker to get direct access to the array. Now this problem has been shown to some of the top JavaScript experts in the world, and they could not see the attack.

[00:02:30]
The attack is not something that's due to bugs in implementations, so we're only concerned with standard behavior of the language. There are some things about the language which we know are problematic. For example you can go to array.prototype and replace its push method with your own method or, we'll assume that those things have been fixed.

[00:02:57]
So we're just concerned with the language as it works, as we've discussed. So your job will be to figure out this code and suggest how the code could be attacked, and how an attacker could get access to the array. And then how we would repair it so that the attacker couldn't do that.

[00:03:20]
And my job will be to honestly answer all of your questions about how this code works, and there you are, okay?