Skip to content

Commit

Permalink
Foxhound: prevent argument shortening for element xpath strings
Browse files Browse the repository at this point in the history
  • Loading branch information
@tmbrbr
tmbrbr committed Jan 17, 2024
1 parent b838cb1 commit 6dd6257
Show file tree
Hide file tree
Showing 5 changed files with 39 additions and 13 deletions.
18 changes: 17 additions & 1 deletion dom/tainting/nsTaintingUtils.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,27 @@ static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const n
return TaintOperation(name);
}

static TaintOperation GetTaintOperationFullArgs(JSContext *cx, const char* name, const nsTArray<nsString> &args)
{
if (cx && JS::CurrentGlobalOrNull(cx)) {
JS::RootedValue argval(cx);

if (mozilla::dom::ToJSValue(cx, args, &argval)) {
return JS_GetTaintOperationFullArgs(cx, name, argval);
}
}

return TaintOperation(name);
}

static void DescribeElement(const mozilla::dom::Element* element, nsAString& aInput)
{
aInput.Truncate();
if (element) {
XPathGenerator::Generate(element, aInput);
if (aInput.IsEmpty()) {
element->Describe(aInput);
}
}
}

Expand All @@ -101,7 +117,7 @@ static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const m
DescribeElement(element, elementDesc);
args.AppendElement(elementDesc);

return GetTaintOperation(cx, name, args);
return GetTaintOperationFullArgs(cx, name, args);
}

return TaintOperation(name);
Expand Down
10 changes: 8 additions & 2 deletions js/src/jsapi.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4805,7 +4805,13 @@ JS_MarkTaintSource(JSContext* cx, JS::MutableHandleValue value, const TaintOpera
JS_PUBLIC_API TaintOperation
JS_GetTaintOperation(JSContext* cx, const char* sink, JS::HandleValue arg)
{
return TaintOperationFromContext(cx, sink, false, arg);
return TaintOperationFromContext(cx, sink, false, arg, false);
}

JS_PUBLIC_API TaintOperation
JS_GetTaintOperationFullArgs(JSContext* cx, const char* sink, JS::HandleValue arg)
{
return TaintOperationFromContext(cx, sink, false, arg, true);
}

JS_PUBLIC_API TaintOperation
Expand Down Expand Up @@ -4863,7 +4869,7 @@ JS_ReportTaintSink(JSContext* cx, JS::HandleString str, const char* sink, JS::Ha
JS_ReportWarningUTF8(cx, "Tainted flow from %s into %s!", firstRange.flow().source().name(), sink);

// Extend the taint flow to include the sink function
str->taint().extend(TaintOperationFromContext(cx, sink, true, arg));
str->taint().extend(TaintOperationFromContext(cx, sink, true, arg, true));

// Trigger a custom event that can be caught by an extension.
// To simplify things, this part is implemented in JavaScript. Since we don't want to recompile
Expand Down
4 changes: 4 additions & 0 deletions js/src/jsapi.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -986,6 +986,10 @@ JS_SetStringTaint(JSContext* cx, JSString* str, const StringTaint& taint);
extern JS_PUBLIC_API TaintOperation
JS_GetTaintOperation(JSContext* cx, const char* name, JS::HandleValue args);

// Taintfox: Get Taint Operation with no argument length restrictions
extern JS_PUBLIC_API TaintOperation
JS_GetTaintOperationFullArgs(JSContext* cx, const char* name, JS::HandleValue args);

// Taintfox: Create new String Taint Location from the context
extern JS_PUBLIC_API TaintOperation
JS_GetTaintOperation(JSContext* cx, const char* name);
Expand Down
12 changes: 6 additions & 6 deletions js/src/jstaint.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,12 +142,12 @@ std::u16string JS::taintarg(JSContext* cx, HandleObject obj)
return taintarg(cx, str);
}

std::u16string JS::taintarg(JSContext* cx, HandleValue val)
std::u16string JS::taintarg(JSContext* cx, HandleValue val, bool fullArgs)
{
RootedString str(cx, ToString(cx, val));
if (!str)
return std::u16string();
return taintarg(cx, str);
return fullArgs ? taintarg_full(cx, str) : taintarg(cx, str);
}

std::u16string JS::taintarg(JSContext* cx, int32_t num)
Expand All @@ -156,7 +156,7 @@ std::u16string JS::taintarg(JSContext* cx, int32_t num)
return taintarg(cx, val);
}

std::vector<std::u16string> JS::taintargs(JSContext* cx, HandleValue val)
std::vector<std::u16string> JS::taintargs(JSContext* cx, HandleValue val, bool fullArgs)
{
std::vector<std::u16string> args;
bool isArray;
Expand All @@ -176,7 +176,7 @@ std::vector<std::u16string> JS::taintargs(JSContext* cx, HandleValue val)
if (!JS_GetElement(cx, array, i, &v)) {
continue;
}
args.push_back(taintarg(cx, v));
args.push_back(taintarg(cx, v, fullArgs));
}
} else {
args.push_back(taintarg(cx, val));
Expand Down Expand Up @@ -277,8 +277,8 @@ TaintLocation JS::TaintLocationFromContext(JSContext* cx)
return TaintLocation(ascii2utf16(std::string(filename)), line, pos, scriptStartline, hash, taintarg(cx, function));
}

TaintOperation JS::TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleValue args) {
return TaintOperation(name, is_native, TaintLocationFromContext(cx), taintargs(cx, args));
TaintOperation JS::TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleValue args, bool fullArgs) {
return TaintOperation(name, is_native, TaintLocationFromContext(cx), taintargs(cx, args, fullArgs));
}

TaintOperation JS::TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleString arg ) {
Expand Down
8 changes: 4 additions & 4 deletions js/src/jstaint.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,13 @@ std::u16string taintarg_jsstring_full(JSContext* cx, JSString* const& str);
std::u16string taintarg(JSContext* cx, JS::HandleObject obj);

// Converts a JS value into an argument string for a taint operation.
std::u16string taintarg(JSContext* cx, JS::HandleValue str);
std::u16string taintarg(JSContext* cx, JS::HandleValue val, bool fullArgs = false);

// Converts an integer to a taint argument string.
std::u16string taintarg(JSContext* cx, int32_t num);

// Converts a JS Handle to a taint argument string.
std::vector<std::u16string> taintargs(JSContext* cx, JS::HandleValue str);
std::vector<std::u16string> taintargs(JSContext* cx, JS::HandleValue str, bool fullArgs);

std::vector<std::u16string> taintargs(JSContext* cx, JS::HandleString str);

Expand All @@ -62,11 +62,11 @@ std::string convertDigestToHexString(const TaintMd5& digest);
// Extracts the current filename, linenumber and function from the JSContext
TaintLocation TaintLocationFromContext(JSContext* cx);

TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleValue args);
TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleValue args, bool fullArgs = false);

TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleString arg);

TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleString arg1, JS::HandleString arg2);
TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleString arg1, JS::HandleString arg2);

TaintOperation TaintOperationFromContextJSString(JSContext* cx, const char* name, bool is_native, JSString* const& str);

Expand Down

0 comments on commit 6dd6257

Please sign in to comment.