keychain.js | SEGFAULT when --include-acls is combined with other args,

[darmado]

Description
SEGFAULT when --include-acls is combined with other args,

script name: keychain.js

Steps To Reproduce
Steps to reproduce the unexpected behavior:

1. sh osascript -l JavaScript keychain.js --list-all-generic --debug

• list_all_key_of_type function executes and returns all 123 generic keys

2. sh osascript -l JavaScript keychain.js --list-all-generic --include-acls --debug

Expected behavior
When the user passes the --include-acls ar as input. the query_acls function should execute, and return the ACL output. (not a TCC permission issue )
ACLs are returned and printed by the list_all_key_of_type function

FUNCTION: CODE:

Screenshots

[darmado]

RCA

• I spent 5 hours on this bad boy. :)
• The bug was very subtle. I didn't realize we cannot get Obj-C objects from JS arrays with JS methods.
• hence the default error during the first query wherein the quer function attempted to access the obj-c objects from the JS array.

Buggy code block

let item_o_c = $.CFMakeCollectable(items[0]).js;
console.log("[+] Successfully searched, found " + item_o_c.length + " items")
for(let i = 0; i < item_o_c.length; i++){
    let item = item_o_c[i];
    // ... processing ...
}

let item_o_c = $.CFMakeCollectable(items[0]);
console.log("[+] Successfully searched, found " + item_o_c.count() + " items")
for(let i = 0; i < item_o_c.count(); i++){
    let item = item_o_c.objectAtIndex(i);
    // ... processing ...
}