Merge branch 'main' into playwright-1.49

Author: tmbrbr

.github/workflows/js-hazards.yml

@@ -0,0 +1,88 @@
+
+name: JS Rooting Hazards
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the main branch
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+
+  # This workflow contains a single job called "build"
+  build:
+
+    name: 'JS Rooting Hazard Analysis'
+
+    # The type of runner that the job will run on
+    runs-on: ubuntu-22.04
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: true
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y   \
+               curl                 \
+               python3              \
+               python3-pip          \
+               python3-venv         \
+               tar                  \
+               zip                  \
+               unzip                \
+               git
+          sudo apt-get install -y --no-install-recommends ffmpeg libasound2 libatk1.0-0 libcairo-gobject2 libcairo2 libdbus-1-3 libdbus-glib-1-2 libfontconfig1 libfreetype6 libgdk-pixbuf-2.0-0 libglib2.0-0 libgtk-3-0 libpango-1.0-0 libpangocairo-1.0-0 libx11-6 libx11-xcb1 libxcb-shm0 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxtst6 xvfb fonts-noto-color-emoji fonts-unifont xfonts-cyrillic xfonts-scalable fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf
+          python3 -m pip install setuptools
+
+
+      - name: Checkout release branch
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Bootstrap
+        run: |
+          ./mach --no-interactive bootstrap --application-choice=js
+
+      - name: Bootstrap Hazard Analysis
+        run: |
+          ./mach hazards bootstrap
+      
+      - name: Build Shell
+        run: |
+          ./mach hazards build-shell
+
+      - name: Gather GC Info
+        run: |
+          ./mach hazards gather --project=js
+
+      - name: Analyze JS Hazards
+        run: |
+          ./mach hazards analyze --project=js
+
+      - name: Show Summary
+        run: |
+          cat ./haz-js/hazards.txt >> $GITHUB_STEP_SUMMARY
+      #- name: Upload Report
+      #  uses: actions/upload-artifact@v4  # upload test results
+      #  with:
+      #    name: rooting-hazards
+      #    path: haz-js/hazards.txt

README.md

@@ -6,7 +6,13 @@ This is the repository for project "Foxhound", a Firefox fork capable of trackin
 
 Taint tracking makes it possible to automatically detect client-side cross-site-scripting flaws in websites by marking certain attacker-controlled strings (e.g. `location.hash`) as tainted and notifying the user when tainted data reaches a set of predefined sinks (e.g. `eval()`, `.innerHTML`, ...).
 
-Foxhound has been successfully used for a wide range of academic studies (e.g., the [publications](https://github.com/SAP/project-foxhound/wiki/Publications) listed in the Wiki) as well as for security testing in industrial use cases.
+:trophy: Foxhound has been rated the **best tool** for [Dynamic Security Analysis of JavaScript](https://www.dais.unive.it/~calzavara/papers/www25.pdf) by independent researchers! In their study, Foxhound **outperformed 17 other tools** in all of the categories considered, namely *compatibility* (95%), *transparency* (97%), *coverage* (94%) and *performance* (1.4x). To quote the paper:
+
+>
+> The only effective solution given the current state of the art is Project Foxhound.
+>
+
+In addition, Foxhound has been successfully used for a wide range of academic studies (e.g., the [publications](https://github.com/SAP/project-foxhound/wiki/Publications) listed in the Wiki) as well as for security testing in industrial use cases.
 
 ## Usage
 
@@ -114,8 +120,8 @@ The JavaScript public API (jsapi.h) has been extended to support access to taint
 `JS_ReportTaintSink` which takes care of reporting a flow of tainted data into a predefined sink.
 In this case a message will be written to stdout and a custom JavaScript Event will be triggered that can then be processed by a Firefox extension.
 
-All code related to taint tracking has been marked with a `// TaintFox` comment, making it easy to search for modifications in the source code.
-Finding the `location.hash` taint source becomes as easy as `git grep -n TaintFox | grep location.hash`.
+All code related to taint tracking has been marked with a `// Foxhound` comment, making it easy to search for modifications in the source code.
+Finding the `location.hash` taint source becomes as easy as `git grep -n Foxhound | grep location.hash`.
 
 Taint information is available in JavaScript via the `.taint` property of string instances:
 

dom/base/CharacterData.cpp

@@ -143,7 +143,7 @@ void CharacterData::GetData(nsAString& aData) const {
     }
   }
 
-  // TaintFox: propagate taint when accessing text data from DOM nodes.
+  // Foxhound: propagate taint when accessing text data from DOM nodes.
   aData.AssignTaint(mText.Taint());
 
 }
@@ -181,7 +181,7 @@ void CharacterData::SubstringData(uint32_t aStart, uint32_t aCount,
     CopyASCIItoUTF16(Substring(data, data + amount), aReturn);
   }
 
-  // TaintFox: propagate taint.
+  // Foxhound: propagate taint.
   aReturn.AssignTaint(mText.Taint().safeSubTaint(aStart, aStart + aCount));
 }
 

dom/base/DOMParser.cpp

@@ -61,7 +61,7 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(DOMParser)
 already_AddRefed<Document> DOMParser::ParseFromString(const nsAString& aStr,
                                                       SupportedType aType,
                                                       ErrorResult& aRv) {
-  // TaintFox: Copy String so the TaintOperation shows up in the function trace
+  // Foxhound: Copy String so the TaintOperation shows up in the function trace
   nsTDependentSubstring strCopy(aStr, 0);
   // TODO(david): Is this sound?
   nsTArray<nsString> args;

dom/base/Document.cpp

@@ -6589,7 +6589,7 @@ void Document::GetReferrer(nsACString& aReferrer) const {
 
   URLDecorationStripper::StripTrackingIdentifiers(referrer, aReferrer);
 
-  // TaintFox: document.referrer taint source.
+  // Foxhound: document.referrer taint source.
   MarkTaintSource(aReferrer, "document.referrer");
 }
 
@@ -6635,7 +6635,7 @@ void Document::GetCookie(nsAString& aCookie, ErrorResult& aRv) {
     // because it assumes that the input is valid.
     UTF_8_ENCODING->DecodeWithoutBOMHandling(cookie, aCookie);
 
-    // TaintFox: document.cookie source.
+    // Foxhound: document.cookie source.
     MarkTaintSource(aCookie, "document.cookie");
   }
 }
@@ -6680,7 +6680,7 @@ void Document::SetCookie(const nsAString& aCookie, ErrorResult& aRv) {
     return;
   }
 
-  // TaintFox: document.cookie sink.
+  // Foxhound: document.cookie sink.
   ReportTaintSink(aCookie, "document.cookie");
 
   NS_ConvertUTF16toUTF8 cookie(aCookie);
@@ -10194,7 +10194,7 @@ void Document::WriteCommon(const nsAString& aText, bool aNewlineTerminate,
     }
   }
 
-  // TaintFox: document.write and document.writeln sink.
+  // Foxhound: document.write and document.writeln sink.
   ReportTaintSink(aText, aNewlineTerminate ? "document.writeln" : "document.write");
 
   static constexpr auto new_line = u"\n"_ns;
@@ -10277,7 +10277,7 @@ nsresult Document::GetDocumentURI(nsString& aDocumentURI) const {
 
     CopyUTF8toUTF16(uri, aDocumentURI);
 
-    // TaintFox: document.documentURI taint source.
+    // Foxhound: document.documentURI taint source.
     MarkTaintSource(aDocumentURI, "document.documentURI");
   } else {
     aDocumentURI.Truncate();
@@ -10305,7 +10305,7 @@ void Document::GetDocumentURIFromJS(nsString& aDocumentURI,
   }
   CopyUTF8toUTF16(uri, aDocumentURI);
 
-  // TaintFox: document.documentURI taint source.
+  // Foxhound: document.documentURI taint source.
   MarkTaintSource(aDocumentURI, "document.documentURI");
 }
 

dom/base/Element.cpp

@@ -234,7 +234,7 @@ namespace mozilla::dom {
 
 // Note that mozjemalloc uses a 16 byte quantum, so 64, 80 and 128 are
 // bucket sizes.
-// Taintfox - originally ASSERT_NODE_SIZE(Element, 128, 80);
+// Foxhound - originally ASSERT_NODE_SIZE(Element, 128, 80);
 // We needed to add additional 8 bytes for taint operations
 ASSERT_NODE_SIZE(Element, 136, 80);
 ASSERT_NODE_SIZE(HTMLDivElement, 136, 80);
@@ -243,7 +243,7 @@ ASSERT_NODE_SIZE(HTMLParagraphElement, 136, 80);
 ASSERT_NODE_SIZE(HTMLPreElement, 136, 80);
 ASSERT_NODE_SIZE(HTMLSpanElement, 136, 80);
 ASSERT_NODE_SIZE(HTMLTableCellElement, 136, 80);
-// TaintFox:
+// Foxhound:
 // Original: ASSERT_NODE_SIZE(Text, 120, 64);
 // Text is now a taintable string, so contains an
 // additional pointer (ie 120 + 8 or 64 + 4 bytes)
@@ -2441,7 +2441,7 @@ void Element::SetEventHandler(nsAtom* aEventName, const nsAString& aValue,
     return;
   }
 
-  // TaintFox: Event handler sink.
+  // Foxhound: Event handler sink.
   if (aValue.isTainted()) {
     nsAutoString eventName;
     aEventName->ToString(eventName);
@@ -2584,7 +2584,7 @@ nsresult Element::SetAttr(int32_t aNamespaceID, nsAtom* aName, nsAtom* aPrefix,
   nsAttrValue oldValue;
   bool oldValueSet;
 
-  // Taintfox: the script blocker below will prevent us from executing taint notifications!
+  // Foxhound: the script blocker below will prevent us from executing taint notifications!
   // So add our own callback to check the taint, even if value is not changing
   CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);
 
@@ -2992,7 +2992,7 @@ bool Element::GetAttr(const nsAtom* aName, nsAString& aResult, bool doTainting)
     return false;
   }
   val->ToString(aResult);
-  // Taintfox: getAttribute source
+  // Foxhound: getAttribute source
   if (doTainting && aResult.Length() > 0) {
     SetTaintSourceGetAttr(aName, aResult);
   }
@@ -3007,7 +3007,7 @@ bool Element::GetAttr(int32_t aNameSpaceID, const nsAtom* aName,
     return false;
   }
   val->ToString(aResult);
-  // Taintfox: getAttribute source
+  // Foxhound: getAttribute source
   if (doTainting && aResult.Length() > 0) {
     SetTaintSourceGetAttr(aName, aResult);
   }
@@ -4036,7 +4036,7 @@ void Element::SetInnerHTML(const nsAString& aInnerHTML,
                            nsIPrincipal* aSubjectPrincipal,
                            ErrorResult& aError) {
 
-  // TaintFox: innerHTML sink - don't set for template elements
+  // Foxhound: innerHTML sink - don't set for template elements
   if (!IsTemplateElement()) {
     ReportTaintSink(aInnerHTML, "innerHTML", this);
   }
@@ -4063,7 +4063,7 @@ void Element::SetOuterHTML(const nsAString& aOuterHTML, ErrorResult& aError) {
     return;
   }
 
-  // TaintFox: outerHTML sink.
+  // Foxhound: outerHTML sink.
   ReportTaintSink(aOuterHTML, "outerHTML", this);
 
   if (OwnerDoc()->IsHTMLDocument()) {
@@ -4113,7 +4113,7 @@ enum nsAdjacentPosition { eBeforeBegin, eAfterBegin, eBeforeEnd, eAfterEnd };
 
 void Element::InsertAdjacentHTML(const nsAString& aPosition,
                                  const nsAString& aText, ErrorResult& aError) {
-  // TaintFox: insertAdjacentHTML sink
+  // Foxhound: insertAdjacentHTML sink
   ReportTaintSink(aText, "insertAdjacentHTML", this);
 
   nsAdjacentPosition position;
@@ -4244,7 +4244,7 @@ void Element::InsertAdjacentText(const nsAString& aWhere,
                                  const nsAString& aData, ErrorResult& aError) {
   RefPtr<nsTextNode> textNode = OwnerDoc()->CreateTextNode(aData);
 
-  // TaintFox: insertAdjacentHTML sink
+  // Foxhound: insertAdjacentHTML sink
   ReportTaintSink(aData, "insertAdjacentText", this);
 
   InsertAdjacent(aWhere, textNode, aError);

dom/base/Element.h

@@ -1167,7 +1167,7 @@ class Element : public FragmentOrElement {
       return false;  // DOMString comes pre-emptied.
     }
     val->ToString(aResult);
-    // Taintfox element.getAttr source
+    // Foxhound: element.getAttr source
     if (doTainting && aResult.Length() > 0) {
       SetTaintSourceGetAttr(aName, aResult);
     }
@@ -1182,7 +1182,7 @@ class Element : public FragmentOrElement {
       return false;  // DOMString comes pre-emptied.
     }
     val->ToString(aResult);
-    // Taintfox element.getAttr source
+    // Foxhound: element.getAttr source
     if (doTainting && aResult.Length() > 0) {
       SetTaintSourceGetAttr(aNameSpaceID, aName, aResult);
     }
@@ -1198,7 +1198,7 @@ class Element : public FragmentOrElement {
     const nsAttrValue* val = mAttrs.GetAttr(aName);
     if (val) {
       val->ToString(aResult);
-      // Taintfox element.getAttr source
+      // Foxhound element.getAttr source
       if (doTainting && aResult.Length() > 0) {
         SetTaintSourceGetAttr(aName, aResult);
       }
@@ -1986,7 +1986,7 @@ class Element : public FragmentOrElement {
   void SetTaintSourceGetAttr(int32_t aNameSpaceID, const nsAtom* aName,
                                      DOMString& aResult) const;
   /**
-   *  Taintfox: this method can be overriden by child classes to mark
+   *  Foxhound: this method can be overriden by child classes to mark
    * certain attributes as taint sources.
    */
   virtual void SetTaintSourceGetAttr(const nsAString& aName, DOMString& aResult) const;

dom/base/EventSource.cpp

@@ -635,7 +635,7 @@ void EventSourceImpl::Init(nsIGlobalObject* aWindowGlobal,
   MOZ_ASSERT(aPrincipal);
   MOZ_ASSERT(ReadyState() == CONNECTING);
   mPrincipal = aPrincipal;
-  // Taintfox: EventSource sink
+  // Foxhound: EventSource sink
   ReportTaintSink(aURL, "EventSource");
   aRv = ParseURL(aURL);
   if (NS_WARN_IF(aRv.Failed())) {