Fixing String conversion bug (#249)

* Fixed taint propagation for String conversion fast path and utf8 strings
* Added integration tests

Author: alexbara2000

dom/base/nsJSUtils.h

@@ -171,6 +171,7 @@ inline bool AssignJSString(JSContext* cx, T& dest, JSString* s) {
 
   MOZ_ASSERT(read == JS::GetStringLength(s));
   handle.Finish(written, kAllowShrinking);
+  dest.AssignTaint(JS_GetStringTaint(s));
   return true;
 }
 

js/xpconnect/src/xpcpublic.h

@@ -430,6 +430,7 @@ class XPCStringConvert {
         //       nsStringBuffer::FromData takes void*.
         AssignFromStringBuffer(
             nsStringBuffer::FromData(const_cast<DestCharT*>(chars)), len, dest);
+        dest.AssignTaint(JS_GetStringTaint(s));
         return true;
       }
     } else if (callbacks == &sLiteralExternalString) {
@@ -442,6 +443,7 @@ class XPCStringConvert {
       // The characters represent a literal string constant
       // compiled into libxul; we can just use it as-is.
       dest.AssignLiteral(chars, len);
+      dest.AssignTaint(JS_GetStringTaint(s));
       return true;
     }
 

taint/test/mochitest/mochitest.ini

@@ -42,6 +42,7 @@ support-files =
 [test_websocket.html]
 [test_push.html]
 [test_dom.html]
+[test_string_convertion_with_classes.html]
 scheme = https
 [test_url_object.html]
 [test_message_event.html]

taint/test/mochitest/test_string_convertion_with_classes.html

@@ -0,0 +1,65 @@
+<!DOCTYPE HTML>
+ <html>
+   <head>
+     <meta charset="utf-8">
+     <title>Test HTML Message Port Taint Sink</title>
+     <script src="/tests/SimpleTest/SimpleTest.js"></script>
+     <link rel="stylesheet" href="/tests/SimpleTest/test.css"/>
+     <script>
+      class SessionStorageManager {
+        constructor(storageKey) {
+            this.storageKey = storageKey;
+            this.storage = window.sessionStorage;
+            this.items = [];
+        }
+
+        get(key, factory) {
+            const newItem = factory(key);
+            this.items.push(newItem);
+            return newItem;
+        }
+
+        set() {
+            if (this.storage) {
+                var jsonString = JSON.stringify(this.items);
+                var encoded2=btoa(jsonString);
+                this.storage.setItem(this.storageKey, encoded2);
+                this.storage.setItem(this.storageKey, jsonString);
+            }
+        }
+      }
+
+      let string_content = "hello";
+      let number_of_tainted_flows = 4;
+      let i = 0;
+
+      SimpleTest.waitForExplicitFinish();
+      addEventListener("__taintreport", (report) => {
+          is(report.detail.str, string_content, "Check sink string content");
+          i += 1;
+          if (i >= number_of_tainted_flows) {
+            SimpleTest.finish();
+          }
+      }, false);
+
+      let taint_string = String.tainted(string_content);
+      const storageManager = new SessionStorageManager('myAppData');
+      function itemFactory(key) {
+          return { key, data: "thing" };
+      }
+
+      const item1 = storageManager.get('item1', itemFactory);
+      item1.data=[taint_string]
+      storageManager.set();
+      const item2 = storageManager.get('item2', itemFactory);
+      item2.data=[taint_string]
+      storageManager.set();
+     </script>
+   </head>
+   <body>
+     <p id="display"></p>
+     <div id="content" style="display: none"></div>
+     <p id="test"></p>
+     <button id="btn"></button>
+   </body>
+ </html>