Merge pull request #303 from leeN/fetch-header-sink

leeN · web-flow · commit b1cc2f44443f · 2025-06-10T12:26:22.000+02:00
Fetch header sink reporting
diff --git a/dom/fetch/Request.cpp b/dom/fetch/Request.cpp
@@ -10,6 +10,7 @@
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "nsPIDOMWindow.h"
+#include "nsTaintingUtils.h"
 
 #include "mozilla/ErrorResult.h"
 #include "mozilla/StaticPrefs_network.h"
@@ -379,6 +380,15 @@ SafeRefPtr<Request> Request::Constructor(
       return nullptr;
     }
     headers = h->GetInternalHeaders();
+
+    // Foxhound:
+    nsTArray<InternalHeaders::Entry> headerEntries;
+    headers->GetEntries(headerEntries);
+    for(InternalHeaders::Entry entry : headerEntries) {
+      ReportTaintSink(entry.mName, "fetch.header(key)");
+      ReportTaintSink(entry.mValue, "fetch.header(value)");
+    }
+
   } else {
     headers = new InternalHeaders(*requestHeaders);
   }
diff --git a/taint/test/mochitest/mochitest.ini b/taint/test/mochitest/mochitest.ini
@@ -41,6 +41,7 @@ support-files =
 [test_iframe_sinks.html]
 [test_fetch.html]
 [test_fetch_response.html]
+[test_fetch_header.html]
 [test_websocket_sinks.html]
 [test_function_ctor.html]
 [test_websocket.html]
diff --git a/taint/test/mochitest/test_fetch_header.html b/taint/test/mochitest/test_fetch_header.html
@@ -0,0 +1,65 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Test HTML Taint Sinks</title>
+    <script src="/tests/SimpleTest/SimpleTest.js"></script>
+    <link rel="stylesheet" href="/tests/SimpleTest/test.css"/>
+    <script>
+      function check_tainted(str) {
+        SimpleTest.ok(str.taint.length > 0, "Check tainted for: " + str);
+      }
+      
+      let sink_names = [
+        "fetch.header(key)",
+        "fetch.header(value)",
+        "fetch.header(value)"
+      ];
+
+
+      let i = 0;
+
+      SimpleTest.waitForExplicitFinish();
+      addEventListener("__taintreport", (report) => {
+
+        let flow = report.detail.str.taint[0].flow;
+        is(flow[1].operation, sink_names[i]);
+
+        i += 1;
+        if (i >= sink_names.length) {
+          SimpleTest.finish();
+        }
+      }, false);
+
+      async function startTest() {
+        try {
+          let tName = String.tainted("X_TAINT_HEADER");
+          let tValue = String.tainted("Foxhound");
+          let hs = new Headers();
+          hs.append(tName, tValue);
+          let response = await fetch(`http://mochi.test:8888/tests/taint/test/mochitest/fetch_server.sjs?text`,
+            {
+              headers: hs,
+          });
+          response = await fetch(`http://mochi.test:8888/tests/taint/test/mochitest/fetch_server.sjs?text`,
+            {
+              headers: { x : tValue },
+          });
+          return response.ok;
+        } catch(error
+        ) {
+          SimpleTest.info(error.message);
+          SimpleTest.is(true, false, "Error");
+          return null;
+        };
+      }
+
+
+    </script>
+  </head>
+  <body onload="startTest()">
+    <p id="display"></p>
+    <div id="content" style="display: none"></div>
+    <p id="test"></p>
+  </body>
+</html>
