Merge pull request #330 from eleumasc/fix-320-322

Add request URL arguments to network taint operations and target origin argument of window.postMessage taint operations (fixes #320 and #322)

Author: leeN

README.md

@@ -178,4 +178,4 @@ Additionally, if you get a paper accepted using project Foxhound, we are happy t
 
 We want to thank everybody who contributed to the development of Foxhound!
 
-In no particular order: [tmbrbr](https://github.com/tmbrbr), [leeN](https://github.com/leeN), [saelo](https://github.com/saelo), [soumboussaha](https://github.com/soumboussaha) [LukasHock](https://github.com/LukasHock), [0drai](https://github.com/0drai), [alexbara2000](https://github.com/alexbara2000), [moorts](https://github.com/moorts), [unqrf](https://github.com/unqrf), ..
+In no particular order: [tmbrbr](https://github.com/tmbrbr), [leeN](https://github.com/leeN), [saelo](https://github.com/saelo), [soumboussaha](https://github.com/soumboussaha) [LukasHock](https://github.com/LukasHock), [0drai](https://github.com/0drai), [alexbara2000](https://github.com/alexbara2000), [moorts](https://github.com/moorts), [unqrf](https://github.com/unqrf), [eleumasc](https://github.com/eleumasc), ...

dom/base/BodyConsumer.cpp

@@ -280,7 +280,7 @@ NS_IMPL_ISUPPORTS(ConsumeBodyDoneObserver, nsIStreamLoaderObserver)
     const nsAString& aBodyLocalPath, const nsACString& aBodyMimeType,
     const nsACString& aMixedCaseMimeType,
     MutableBlobStorage::MutableBlobStorageType aBlobStorageType,
-    ErrorResult& aRv) {
+    const nsACString& aInitialURL, ErrorResult& aRv) {
   MOZ_ASSERT(aBodyStream);
   MOZ_ASSERT(aMainThreadEventTarget);
 
@@ -292,7 +292,7 @@ NS_IMPL_ISUPPORTS(ConsumeBodyDoneObserver, nsIStreamLoaderObserver)
   RefPtr<BodyConsumer> consumer =
       new BodyConsumer(aMainThreadEventTarget, aGlobal, aBodyStream, promise,
                        aType, aBodyBlobURISpec, aBodyLocalPath, aBodyMimeType,
-                       aMixedCaseMimeType, aBlobStorageType);
+                       aMixedCaseMimeType, aBlobStorageType, aInitialURL);
 
   RefPtr<ThreadSafeWorkerRef> workerRef;
 
@@ -350,7 +350,8 @@ BodyConsumer::BodyConsumer(
     Promise* aPromise, ConsumeType aType, const nsACString& aBodyBlobURISpec,
     const nsAString& aBodyLocalPath, const nsACString& aBodyMimeType,
     const nsACString& aMixedCaseMimeType,
-    MutableBlobStorage::MutableBlobStorageType aBlobStorageType)
+    MutableBlobStorage::MutableBlobStorageType aBlobStorageType,
+    const nsACString& aInitialURL)
     : mTargetThread(NS_GetCurrentThread()),
       mMainThreadEventTarget(aMainThreadEventTarget),
       mBodyStream(aBodyStream),
@@ -362,6 +363,7 @@ BodyConsumer::BodyConsumer(
       mGlobal(aGlobalObject),
       mConsumeType(aType),
       mConsumePromise(aPromise),
+      mInitialURL(aInitialURL),
       mBodyConsumed(false),
       mShuttingDown(false) {
   MOZ_ASSERT(aMainThreadEventTarget);
@@ -719,10 +721,12 @@ void BodyConsumer::ContinueConsumeBody(nsresult aStatus, uint32_t aResultLength,
       if (NS_SUCCEEDED(
               BodyUtil::ConsumeText(aResultLength, resultPtr.get(), decoded))) {
         if (mConsumeType == ConsumeType::Text) {
-          MarkTaintSource(decoded, "fetch.text()");
+          MarkTaintSource(decoded, "fetch.text()",
+                          NS_ConvertUTF8toUTF16(mInitialURL));
           localPromise->MaybeResolve(decoded);
         } else {
-          MarkTaintSource(decoded, "fetch.json()");
+          MarkTaintSource(decoded, "fetch.json()",
+                          NS_ConvertUTF8toUTF16(mInitialURL));
           JS::Rooted<JS::Value> json(cx);
           BodyUtil::ConsumeJson(cx, &json, decoded, error);
           if (!error.Failed()) {

dom/base/BodyConsumer.h

@@ -66,7 +66,7 @@ class BodyConsumer final : public AbortFollower,
       const nsAString& aBodyLocalPath, const nsACString& aBodyMimeType,
       const nsACString& aMixedCaseMimeType,
       MutableBlobStorage::MutableBlobStorageType aBlobStorageType,
-      ErrorResult& aRv);
+      const nsACString& aInitialURL, ErrorResult& aRv);
 
   void ReleaseObject();
 
@@ -100,7 +100,8 @@ class BodyConsumer final : public AbortFollower,
                const nsACString& aBodyBlobURISpec,
                const nsAString& aBodyLocalPath, const nsACString& aBodyMimeType,
                const nsACString& aMixedCaseMimeType,
-               MutableBlobStorage::MutableBlobStorageType aBlobStorageType);
+               MutableBlobStorage::MutableBlobStorageType aBlobStorageType,
+               const nsACString& aInitialURL);
 
   ~BodyConsumer();
 
@@ -141,6 +142,8 @@ class BodyConsumer final : public AbortFollower,
   ConsumeType mConsumeType;
   RefPtr<Promise> mConsumePromise;
 
+  nsCString mInitialURL;
+
   // touched only on the target thread.
   bool mBodyConsumed;
 

dom/base/nsGlobalWindowOuter.cpp

@@ -5859,7 +5859,7 @@ void nsGlobalWindowOuter::PostMessageMozOuter(JSContext* aCx,
       scriptLocation, callerAgentClusterId);
 
   // Foxhound: window.postMessage sink
-  ReportTaintSink(aCx, aMessage, "window.postMessage");
+  ReportTaintSink(aCx, aMessage, "window.postMessage", aTargetOrigin);
 
   JS::CloneDataPolicy clonePolicy;
 

dom/fetch/Fetch.cpp

@@ -1465,10 +1465,12 @@ already_AddRefed<Promise> FetchBody<Derived>::ConsumeBody(
   nsCOMPtr<nsIInputStream> bodyStream;
   DerivedClass()->GetBody(getter_AddRefs(bodyStream));
   if (!bodyStream) {
+    nsCString initialURL;
+    DerivedClass()->GetInitialURL(initialURL);
     RefPtr<EmptyBody> emptyBody =
         EmptyBody::Create(DerivedClass()->GetParentObject(),
                           DerivedClass()->GetPrincipalInfo().get(), signalImpl,
-                          mimeType, mixedCaseMimeType, aRv);
+                          mimeType, mixedCaseMimeType, initialURL, aRv);
     if (NS_WARN_IF(aRv.Failed())) {
       return nullptr;
     }
@@ -1500,10 +1502,13 @@ already_AddRefed<Promise> FetchBody<Derived>::ConsumeBody(
     blobStorageType = MutableBlobStorage::eCouldBeInTemporaryFile;
   }
 
+  nsCString initialURL;
+  GetInitialURL(initialURL);
+
   RefPtr<Promise> promise = BodyConsumer::Create(
       global, mMainThreadEventTarget, bodyStream, signalImpl, aType,
       BodyBlobURISpec(), BodyLocalPath(), mimeType, mixedCaseMimeType,
-      blobStorageType, aRv);
+      blobStorageType, initialURL, aRv);
   if (NS_WARN_IF(aRv.Failed())) {
     return nullptr;
   }
@@ -1757,6 +1762,17 @@ template void FetchBody<Request>::RunAbortAlgorithm();
 
 template void FetchBody<Response>::RunAbortAlgorithm();
 
+template <class Derived>
+void FetchBody<Derived>::GetInitialURL(nsACString& aInitialURL) {
+  DerivedClass()->GetInitialURL(aInitialURL);
+}
+
+template void FetchBody<Request>::GetInitialURL(nsACString& aInitialURL);
+
+template void FetchBody<Response>::GetInitialURL(nsACString& aInitialURL);
+
+template void FetchBody<EmptyBody>::GetInitialURL(nsACString& aInitialURL);
+
 NS_IMPL_ADDREF_INHERITED(EmptyBody, FetchBody<EmptyBody>)
 NS_IMPL_RELEASE_INHERITED(EmptyBody, FetchBody<EmptyBody>)
 
@@ -1786,11 +1802,13 @@ EmptyBody::EmptyBody(nsIGlobalObject* aGlobal,
                      AbortSignalImpl* aAbortSignalImpl,
                      const nsACString& aMimeType,
                      const nsACString& aMixedCaseMimeType,
+                     const nsACString& aInitialURL,
                      already_AddRefed<nsIInputStream> aBodyStream)
     : FetchBody<EmptyBody>(aGlobal),
       mAbortSignalImpl(aAbortSignalImpl),
       mMimeType(aMimeType),
       mMixedCaseMimeType(aMixedCaseMimeType),
+      mInitialURL(aInitialURL),
       mBodyStream(std::move(aBodyStream)) {
   if (aPrincipalInfo) {
     mPrincipalInfo = MakeUnique<mozilla::ipc::PrincipalInfo>(*aPrincipalInfo);
@@ -1803,7 +1821,8 @@ EmptyBody::~EmptyBody() = default;
 already_AddRefed<EmptyBody> EmptyBody::Create(
     nsIGlobalObject* aGlobal, mozilla::ipc::PrincipalInfo* aPrincipalInfo,
     AbortSignalImpl* aAbortSignalImpl, const nsACString& aMimeType,
-    const nsACString& aMixedCaseMimeType, ErrorResult& aRv) {
+    const nsACString& aMixedCaseMimeType, const nsACString& aInitialURL,
+    ErrorResult& aRv) {
   nsCOMPtr<nsIInputStream> bodyStream;
   aRv = NS_NewCStringInputStream(getter_AddRefs(bodyStream), ""_ns);
   if (NS_WARN_IF(aRv.Failed())) {
@@ -1812,7 +1831,7 @@ already_AddRefed<EmptyBody> EmptyBody::Create(
 
   RefPtr<EmptyBody> emptyBody =
       new EmptyBody(aGlobal, aPrincipalInfo, aAbortSignalImpl, aMimeType,
-                    aMixedCaseMimeType, bodyStream.forget());
+                    aMixedCaseMimeType, aInitialURL, bodyStream.forget());
   return emptyBody.forget();
 }
 

dom/fetch/Fetch.h

@@ -174,6 +174,7 @@ class FetchBody : public FetchBodyBase, public AbortFollower {
   }
 
   already_AddRefed<ReadableStream> GetBody(JSContext* aCx, ErrorResult& aRv);
+
   void GetMimeType(nsACString& aMimeType, nsACString& aMixedCaseMimeType);
 
   const nsACString& BodyBlobURISpec() const;
@@ -227,6 +228,8 @@ class FetchBody : public FetchBodyBase, public AbortFollower {
                                         BodyConsumer::ConsumeType aType,
                                         ErrorResult& aRv);
 
+  void GetInitialURL(nsACString& aInitialURL);
+
  protected:
   nsCOMPtr<nsIGlobalObject> mOwner;
 
@@ -267,7 +270,8 @@ class EmptyBody final : public FetchBody<EmptyBody> {
   static already_AddRefed<EmptyBody> Create(
       nsIGlobalObject* aGlobal, mozilla::ipc::PrincipalInfo* aPrincipalInfo,
       AbortSignalImpl* aAbortSignalImpl, const nsACString& aMimeType,
-      const nsACString& aMixedCaseMimeType, ErrorResult& aRv);
+      const nsACString& aMixedCaseMimeType, const nsACString& aInitialURL,
+      ErrorResult& aRv);
 
   nsIGlobalObject* GetParentObject() const { return mOwner; }
 
@@ -293,11 +297,15 @@ class EmptyBody final : public FetchBody<EmptyBody> {
 
   const nsAString& BodyLocalPath() const { return EmptyString(); }
 
+  using FetchBody::GetInitialURL;
+
+  void GetInitialURL(nsACString& aInitialURL) { aInitialURL = mInitialURL; }
+
  private:
   EmptyBody(nsIGlobalObject* aGlobal,
             mozilla::ipc::PrincipalInfo* aPrincipalInfo,
             AbortSignalImpl* aAbortSignalImpl, const nsACString& aMimeType,
-            const nsACString& aMixedCaseMimeType,
+            const nsACString& aMixedCaseMimeType, const nsACString& aInitialURL,
             already_AddRefed<nsIInputStream> aBodyStream);
 
   ~EmptyBody();
@@ -306,8 +314,8 @@ class EmptyBody final : public FetchBody<EmptyBody> {
   RefPtr<AbortSignalImpl> mAbortSignalImpl;
   nsCString mMimeType;
   nsCString mMixedCaseMimeType;
+  nsCString mInitialURL;
   nsCOMPtr<nsIInputStream> mBodyStream;
-
 };
 }  // namespace dom
 }  // namespace mozilla

dom/fetch/Request.cpp

@@ -373,6 +373,11 @@ SafeRefPtr<Request> Request::Constructor(
     request->SetMethod(outMethod);
   }
 
+  // Foxhound:
+  nsCString cUrl;
+  request->GetURL(cUrl);
+  nsString url = NS_ConvertUTF8toUTF16(cUrl);
+
   RefPtr<InternalHeaders> requestHeaders = request->Headers();
 
   RefPtr<InternalHeaders> headers;
@@ -387,8 +392,8 @@ SafeRefPtr<Request> Request::Constructor(
     nsTArray<InternalHeaders::Entry> headerEntries;
     headers->GetEntries(headerEntries);
     for(InternalHeaders::Entry entry : headerEntries) {
-      ReportTaintSink(entry.mName, "fetch.header(key)");
-      ReportTaintSink(entry.mValue, "fetch.header(value)");
+      ReportTaintSink(entry.mName, "fetch.header(key)", url);
+      ReportTaintSink(entry.mValue, "fetch.header(value)", url);
     }
 
   } else {
@@ -440,12 +445,9 @@ SafeRefPtr<Request> Request::Constructor(
       nsCOMPtr<nsIInputStream> stream;
       nsAutoCString contentTypeWithCharset;
       uint64_t contentLength = 0;
+      // Foxhound:
       if (bodyInit.IsUSVString()) {
-        nsAutoCString url;
-        request->GetURL(url);
-        nsAutoString aUrl;
-        CopyUTF8toUTF16(url, aUrl);
-        ReportTaintSink(bodyInit.GetAsUSVString(), "fetch.body", aUrl);
+        ReportTaintSink(bodyInit.GetAsUSVString(), "fetch.body", url);
       }
       aRv = ExtractByteStreamFromBody(bodyInit, getter_AddRefs(stream),
                                       contentTypeWithCharset, contentLength);

dom/fetch/Request.h

@@ -127,6 +127,18 @@ class Request final : public FetchBody<Request>, public nsWrapperCache {
   AbortSignalImpl* GetSignalImpl() const override;
   AbortSignalImpl* GetSignalImplToConsumeBody() const final;
 
+  using FetchBody::GetInitialURL;
+
+  void GetInitialURL(nsACString& aInitialURL) {
+    nsTArray<nsCString> aURLList;
+    mRequest->GetURLListWithoutFragment(aURLList);
+    if (aURLList.IsEmpty()) {
+      aInitialURL = EmptyCString();
+      return;
+    }
+    aInitialURL = aURLList[0];
+  }
+
  private:
   ~Request();
 

dom/fetch/Response.h

@@ -138,6 +138,18 @@ class Response final : public FetchBody<Response>, public nsWrapperCache {
     return mSignalImpl;
   }
 
+  using FetchBody::GetInitialURL;
+
+  void GetInitialURL(nsACString& aInitialURL) {
+    nsTArray<nsCString> aURLList;
+    mInternalResponse->GetURLList(aURLList);
+    if (aURLList.IsEmpty()) {
+      aInitialURL = EmptyCString();
+      return;
+    }
+    aInitialURL = aURLList[0];
+  }
+
  private:
   static already_AddRefed<Response> CreateAndInitializeAResponse(
       const GlobalObject& aGlobal,

dom/file/Blob.cpp

@@ -295,7 +295,7 @@ already_AddRefed<Promise> Blob::ConsumeBody(
   return BodyConsumer::Create(mGlobal, mainThreadEventTarget, inputStream,
                               nullptr, aConsumeType, VoidCString(),
                               VoidString(), VoidCString(), VoidCString(),
-                              MutableBlobStorage::eOnlyInMemory, aRv);
+                              MutableBlobStorage::eOnlyInMemory, VoidCString(), aRv);
 }
 
 // https://w3c.github.io/FileAPI/#stream-method-algo