Merge pull request #307 from leeN/e2e-uptodate

End to End tainting reactivated

Author: leeN

dom/base/JSExecutionContext.cpp

@@ -163,7 +163,7 @@ nsresult JSExecutionContext::Compile(const nsAString& aScript) {
 
   const nsPromiseFlatString& flatScript = PromiseFlatString(aScript);
   JS::SourceText<char16_t> srcBuf;
-  if (!srcBuf.init(mCx, flatScript.get(), flatScript.Length(),
+  if (!srcBuf.init(mCx, flatScript.get(), flatScript.Length(), aScript.Taint(),
                    JS::SourceOwnership::Borrowed)) {
     mSkip = true;
     mRv = EvaluationExceptionToNSResult(mCx);

dom/html/HTMLTextAreaElement.cpp

@@ -157,6 +157,8 @@ void HTMLTextAreaElement::GetValueInternal(nsAString& aValue,
                                            bool aIgnoreWrap) const {
   MOZ_ASSERT(mState);
   mState->GetValue(aValue, aIgnoreWrap, /* aForDisplay = */ true);
+    MarkTaintSourceElement(aValue, "textarea.value", this);
+
 }
 
 void HTMLTextAreaElement::SetTaintSourceGetAttr(const nsAString& aName, nsAString& aResult) const {

dom/script/ScriptLoadHandler.cpp

@@ -68,7 +68,7 @@ ScriptDecoder::ScriptDecoder(const Encoding* aEncoding,
 template <typename Unit>
 nsresult ScriptDecoder::DecodeRawDataHelper(
     JS::loader::ScriptLoadRequest* aRequest, const uint8_t* aData,
-    uint32_t aDataLength, bool aEndOfStream) {
+    uint32_t aDataLength, bool aEndOfStream, const StringTaint& aTaint) {
   CheckedInt<size_t> needed =
       ScriptDecoding<Unit>::MaxBufferLength(mDecoder, aDataLength);
   if (!needed.isValid()) {
@@ -99,19 +99,26 @@ nsresult ScriptDecoder::DecodeRawDataHelper(
   MOZ_ALWAYS_TRUE(scriptText.resize(haveRead));
   aRequest->SetReceivedScriptTextLength(scriptText.length());
 
+  // Foxhound: Append Taint
+  // Foxhound(David): Check if this really matches the prior semantics
+  SafeStringTaint taint(aRequest->Taint());
+  taint.concat(aTaint, aRequest->ReceivedScriptTextLength());
+  aRequest->SetReceivedScriptTaint(taint);
+
   return NS_OK;
 }
 
 nsresult ScriptDecoder::DecodeRawData(JS::loader::ScriptLoadRequest* aRequest,
                                       const uint8_t* aData,
-                                      uint32_t aDataLength, bool aEndOfStream) {
+                                      uint32_t aDataLength, bool aEndOfStream,
+                                      const StringTaint& aTaint) {
   if (aRequest->IsUTF16Text()) {
     return DecodeRawDataHelper<char16_t>(aRequest, aData, aDataLength,
-                                         aEndOfStream);
+                                         aEndOfStream, aTaint);
   }
 
   return DecodeRawDataHelper<Utf8Unit>(aRequest, aData, aDataLength,
-                                       aEndOfStream);
+                                       aEndOfStream, aTaint);
 }
 
 ScriptLoadHandler::ScriptLoadHandler(
@@ -191,8 +198,18 @@ ScriptLoadHandler::OnIncrementalData(nsIIncrementalStreamLoader* aLoader,
 
     // Decoder has already been initialized. -- trying to decode all loaded
     // bytes.
+    SafeStringTaint taint(EmptyTaint);
+    if(aTaint != nullptr) {
+      taint = *aTaint;
+    }
     rv = mDecoder->DecodeRawData(mRequest, aData, aDataLength,
-                                 /* aEndOfStream = */ false);
+                                 /* aEndOfStream = */ false, taint);
+
+#if (DEBUG_E2E_TAINTING)
+    puts(__PRETTY_FUNCTION__);
+    DumpTaint(taint);
+#endif
+
     NS_ENSURE_SUCCESS(rv, rv);
 
     // If SRI is required for this load, appending new bytes to the hash.
@@ -419,7 +436,7 @@ ScriptLoadHandler::OnStreamComplete(nsIIncrementalStreamLoader* aLoader,
           EnsureDecoder(aLoader, aData, aDataLength, /* aEndOfStream = */ true);
       MOZ_ASSERT(encoderSet);
       rv = mDecoder->DecodeRawData(mRequest, aData, aDataLength,
-                                   /* aEndOfStream = */ true);
+                                   /* aEndOfStream = */ true, *aTaint);
       NS_ENSURE_SUCCESS(rv, rv);
 
       LOG(("ScriptLoadRequest (%p): Source length in code units = %u",

dom/script/ScriptLoadHandler.h

@@ -48,7 +48,7 @@ class ScriptDecoder {
    */
   nsresult DecodeRawData(JS::loader::ScriptLoadRequest* aRequest,
                          const uint8_t* aData, uint32_t aDataLength,
-                         bool aEndOfStream);
+                         bool aEndOfStream, const StringTaint& aTaint);
 
  private:
   /*
@@ -60,8 +60,8 @@ class ScriptDecoder {
    */
   template <typename Unit>
   nsresult DecodeRawDataHelper(JS::loader::ScriptLoadRequest* aRequest,
-                               const uint8_t* aData, uint32_t aDataLength,
-                               bool aEndOfStream);
+                               const uint8_t* aData, uint32_t aDataLength, bool aEndOfStream,
+                               const StringTaint& aTaint);
 
   // Unicode decoder for charset.
   mozilla::UniquePtr<mozilla::Decoder> mDecoder;

dom/workers/loader/CacheLoadHandler.cpp

@@ -556,8 +556,9 @@ nsresult CacheLoadHandler::DataReceivedFromCache(
   // Set the Source type to "text" for decoding.
   loadContext->mRequest->SetTextSource(loadContext);
 
+  // Foxhound(david): Is this sane?
   rv = mDecoder->DecodeRawData(loadContext->mRequest, aString, aStringLen,
-                               /* aEndOfStream = */ true);
+                               /* aEndOfStream = */ true, EmptyTaint);
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (!loadContext->mRequest->ScriptTextLength()) {

dom/workers/loader/NetworkLoadHandler.cpp

@@ -168,8 +168,9 @@ nsresult NetworkLoadHandler::DataReceivedFromNetwork(nsIStreamLoader* aLoader,
 
   // Use the regular ScriptDecoder Decoder for this grunt work! Should be just
   // fine because we're running on the main thread.
+  // Foxhound(david): Is this sane?
   rv = mDecoder->DecodeRawData(loadContext->mRequest, aString, aStringLen,
-                               /* aEndOfStream = */ true);
+                               /* aEndOfStream = */ true, EmptyTaint);
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (!loadContext->mRequest->ScriptTextLength()) {

dom/worklet/WorkletFetchHandler.cpp

@@ -215,8 +215,9 @@ NS_IMETHODIMP FetchCompleteRunnable::RunOnWorkletThread() {
   if (mScriptBuffer) {
     UniquePtr<ScriptDecoder> decoder = MakeUnique<ScriptDecoder>(
         UTF_8_ENCODING, ScriptDecoder::BOMHandling::Remove);
+    // Foxhound(david): Is this sane?
     rv = decoder->DecodeRawData(request, mScriptBuffer.get(), mScriptLength,
-                                true);
+                                true, EmptyTaint);
     NS_ENSURE_SUCCESS(rv, rv);
   }
 

dom/xhr/XMLHttpRequestMainThread.cpp

@@ -605,6 +605,9 @@ nsresult XMLHttpRequestMainThread::AppendToResponseText(
 
     auto handle = handleOrErr.unwrap();
 
+    // Foxhound: propagate taint. TODO(samuel) deal with encoding
+    helper.AppendTaintAt(len, aTaint);
+
     uint32_t result;
     size_t read;
     size_t written;
@@ -615,8 +618,6 @@ nsresult XMLHttpRequestMainThread::AppendToResponseText(
     len += written;
     MOZ_ASSERT(len <= destBufferLen.value());
     handle.Finish(len, false);
-    // Foxhound: propagate taint. TODO(samuel) deal with encoding
-    helper.AppendTaintAt(len, aTaint);
   }  // release mutex
 
   if (aLast) {

js/loader/LoadedScript.cpp

@@ -10,6 +10,7 @@
 #include "mozilla/UniquePtr.h"  // mozilla::UniquePtr
 
 #include "mozilla/dom/ScriptLoadContext.h"  // ScriptLoadContext
+#include "nsTaintingUtils.h"
 #include "jsfriendapi.h"
 #include "js/Modules.h"       // JS::{Get,Set}ModulePrivate
 #include "LoadContextBase.h"  // LoadContextBase
@@ -49,6 +50,7 @@ LoadedScript::LoadedScript(ScriptKind aKind,
       mURI(aURI),
       mDataType(DataType::eUnknown),
       mReceivedScriptTextLength(0),
+      mScriptTextTaint(EmptyTaint),
       mBytecodeOffset(0) {
   MOZ_ASSERT(mFetchOptions);
   MOZ_ASSERT(mURI);
@@ -134,6 +136,10 @@ nsresult LoadedScript::GetScriptSource(JSContext* aCx,
     scriptLoadContext->GetInlineScriptText(inlineData);
 
     size_t nbytes = inlineData.Length() * sizeof(char16_t);
+
+    // Foxhound: tainted JavaScript inline script data
+    // Foxhound(david): This breaks some tests atm, have to investigate.
+    // ReportTaintSink(inlineData, "Inline Script");
     JS::UniqueTwoByteChars chars(
         static_cast<char16_t*>(JS_malloc(aCx, nbytes)));
     if (!chars) {
@@ -143,7 +149,7 @@ nsresult LoadedScript::GetScriptSource(JSContext* aCx,
     memcpy(chars.get(), inlineData.get(), nbytes);
 
     SourceText<char16_t> srcBuf;
-    if (!srcBuf.init(aCx, std::move(chars), inlineData.Length())) {
+    if (!srcBuf.init(aCx, std::move(chars), inlineData.Length(), inlineData.Taint())) {
       return NS_ERROR_OUT_OF_MEMORY;
     }
 
@@ -161,7 +167,7 @@ nsresult LoadedScript::GetScriptSource(JSContext* aCx,
     }
 
     SourceText<char16_t> srcBuf;
-    if (!srcBuf.init(aCx, std::move(chars), length)) {
+    if (!srcBuf.init(aCx, std::move(chars), length, mScriptTextTaint)) {
       return NS_ERROR_OUT_OF_MEMORY;
     }
 
@@ -178,7 +184,7 @@ nsresult LoadedScript::GetScriptSource(JSContext* aCx,
   }
 
   SourceText<Utf8Unit> srcBuf;
-  if (!srcBuf.init(aCx, std::move(chars), length)) {
+  if (!srcBuf.init(aCx, std::move(chars), length, mScriptTextTaint)) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 

js/loader/LoadedScript.h

@@ -203,6 +203,14 @@ class LoadedScript : public nsIMemoryReporter {
     mReceivedScriptTextLength = aLength;
   }
 
+  void SetReceivedScriptTaint(const StringTaint& aTaint) {
+    mScriptTextTaint = aTaint;
+  }
+
+  const StringTaint& Taint() {
+    return mScriptTextTaint;
+  }
+
   bool CanHaveBytecode() const {
     return IsBytecode() || IsSource() || IsStencil();
   }
@@ -256,6 +264,9 @@ class LoadedScript : public nsIMemoryReporter {
   // since mScriptData is cleared when the source is passed to the JS engine.
   size_t mReceivedScriptTextLength;
 
+  // The taint corresponding to the script data
+  SafeStringTaint mScriptTextTaint;
+
   // Holds the SRI serialized hash and the script bytecode for non-inline
   // scripts. The data is laid out according to ScriptBytecodeDataLayout
   // or, if compression is enabled, ScriptBytecodeCompressedDataLayout.
@@ -335,6 +346,14 @@ class LoadedScriptDelegate {
     GetLoadedScript()->SetReceivedScriptTextLength(aLength);
   }
 
+  const StringTaint& Taint() {
+    return GetLoadedScript()->Taint();
+  }
+
+  void SetReceivedScriptTaint(const StringTaint& aTaint) {
+    GetLoadedScript()->SetReceivedScriptTaint(aTaint);
+  }
+
   // Get source text.  On success |aMaybeSource| will contain either UTF-8 or
   // UTF-16 source; on failure it will remain in its initial state.
   nsresult GetScriptSource(JSContext* aCx, MaybeSourceText* aMaybeSource,