Skip to content

Commit 94dcf25

Browse files
authored
Fixing String conversion bug (#249)
* Fixed taint propagation for String conversion fast path and utf8 strings * Added integration tests
1 parent d51a31b commit 94dcf25

File tree

4 files changed

+69
-0
lines changed

4 files changed

+69
-0
lines changed

dom/base/nsJSUtils.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,7 @@ inline bool AssignJSString(JSContext* cx, T& dest, JSString* s) {
171171

172172
MOZ_ASSERT(read == JS::GetStringLength(s));
173173
handle.Finish(written, kAllowShrinking);
174+
dest.AssignTaint(JS_GetStringTaint(s));
174175
return true;
175176
}
176177

js/xpconnect/src/xpcpublic.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -430,6 +430,7 @@ class XPCStringConvert {
430430
// nsStringBuffer::FromData takes void*.
431431
AssignFromStringBuffer(
432432
nsStringBuffer::FromData(const_cast<DestCharT*>(chars)), len, dest);
433+
dest.AssignTaint(JS_GetStringTaint(s));
433434
return true;
434435
}
435436
} else if (callbacks == &sLiteralExternalString) {
@@ -442,6 +443,7 @@ class XPCStringConvert {
442443
// The characters represent a literal string constant
443444
// compiled into libxul; we can just use it as-is.
444445
dest.AssignLiteral(chars, len);
446+
dest.AssignTaint(JS_GetStringTaint(s));
445447
return true;
446448
}
447449

taint/test/mochitest/mochitest.ini

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ support-files =
4242
[test_websocket.html]
4343
[test_push.html]
4444
[test_dom.html]
45+
[test_string_convertion_with_classes.html]
4546
scheme = https
4647
[test_url_object.html]
4748
[test_message_event.html]
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
<!DOCTYPE HTML>
2+
<html>
3+
<head>
4+
<meta charset="utf-8">
5+
<title>Test HTML Message Port Taint Sink</title>
6+
<script src="/tests/SimpleTest/SimpleTest.js"></script>
7+
<link rel="stylesheet" href="/tests/SimpleTest/test.css"/>
8+
<script>
9+
class SessionStorageManager {
10+
constructor(storageKey) {
11+
this.storageKey = storageKey;
12+
this.storage = window.sessionStorage;
13+
this.items = [];
14+
}
15+
16+
get(key, factory) {
17+
const newItem = factory(key);
18+
this.items.push(newItem);
19+
return newItem;
20+
}
21+
22+
set() {
23+
if (this.storage) {
24+
var jsonString = JSON.stringify(this.items);
25+
var encoded2=btoa(jsonString);
26+
this.storage.setItem(this.storageKey, encoded2);
27+
this.storage.setItem(this.storageKey, jsonString);
28+
}
29+
}
30+
}
31+
32+
let string_content = "hello";
33+
let number_of_tainted_flows = 4;
34+
let i = 0;
35+
36+
SimpleTest.waitForExplicitFinish();
37+
addEventListener("__taintreport", (report) => {
38+
is(report.detail.str, string_content, "Check sink string content");
39+
i += 1;
40+
if (i >= number_of_tainted_flows) {
41+
SimpleTest.finish();
42+
}
43+
}, false);
44+
45+
let taint_string = String.tainted(string_content);
46+
const storageManager = new SessionStorageManager('myAppData');
47+
function itemFactory(key) {
48+
return { key, data: "thing" };
49+
}
50+
51+
const item1 = storageManager.get('item1', itemFactory);
52+
item1.data=[taint_string]
53+
storageManager.set();
54+
const item2 = storageManager.get('item2', itemFactory);
55+
item2.data=[taint_string]
56+
storageManager.set();
57+
</script>
58+
</head>
59+
<body>
60+
<p id="display"></p>
61+
<div id="content" style="display: none"></div>
62+
<p id="test"></p>
63+
<button id="btn"></button>
64+
</body>
65+
</html>

0 commit comments

Comments
 (0)