Merge branch 'dev-xhr-header'

SAP · Jan 17, 2024 · ca477c0 · ca477c0
2 parents 9b50b11 + 6dd6257
commit ca477c0
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 17 deletions.
diff --git a/dom/tainting/nsTaintingUtils.cpp b/dom/tainting/nsTaintingUtils.cpp
@@ -13,6 +13,7 @@
 #include <utility>
 #include "jsfriendapi.h"
 #include "mozilla/dom/ToJSValue.h"
+#include "XPathGenerator.h"
 #include "nsContentUtils.h"
 #include "nsString.h"
 #include "mozilla/Logging.h"
@@ -83,16 +84,40 @@ static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const n
   return TaintOperation(name);
 }
 
+static TaintOperation GetTaintOperationFullArgs(JSContext *cx, const char* name, const nsTArray<nsString> &args)
+{
+  if (cx && JS::CurrentGlobalOrNull(cx)) {
+    JS::RootedValue argval(cx);
+
+    if (mozilla::dom::ToJSValue(cx, args, &argval)) {
+      return JS_GetTaintOperationFullArgs(cx, name, argval);
+    }
+  }
+
+  return TaintOperation(name);
+}
+
+static void DescribeElement(const mozilla::dom::Element* element, nsAString& aInput)
+{
+  aInput.Truncate();
+  if (element) {
+    XPathGenerator::Generate(element, aInput);
+    if (aInput.IsEmpty()) {
+      element->Describe(aInput);
+    }
+  }
+}
+
 static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const mozilla::dom::Element* element)
 {
   if (element) {
     nsTArray<nsString> args;
     nsAutoString elementDesc;
 
-    element->Describe(elementDesc);
+    DescribeElement(element, elementDesc);
     args.AppendElement(elementDesc);
 
-    return GetTaintOperation(cx, name, args);
+    return GetTaintOperationFullArgs(cx, name, args);
   }
 
   return TaintOperation(name);
@@ -105,7 +130,7 @@ static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const m
     nsTArray<nsString> args;
 
     nsAutoString elementDesc;
-    element->Describe(elementDesc);
+    DescribeElement(element, elementDesc);
     args.AppendElement(elementDesc);
 
     nsAutoString attributeName;
@@ -411,7 +436,7 @@ nsresult ReportTaintSink(const nsAString &str, const char* name, const mozilla::
 {
   nsAutoString elementDesc;
   if (element) {
-    element->Describe(elementDesc);
+    DescribeElement(element, elementDesc);
   }
   return ReportTaintSink(str, name, elementDesc);
 }

diff --git a/dom/xhr/XMLHttpRequestMainThread.cpp b/dom/xhr/XMLHttpRequestMainThread.cpp
@@ -565,7 +565,24 @@ void XMLHttpRequestMainThread::GetResponseText(DOMString& aResponseText,
   }
 
   // Taintfox: XMLHttpRequest.response source
-  MarkTaintSource(aResponseText, "XMLHttpRequest.response");
+  nsTArray<nsString> args;
+
+  nsAutoString url;
+  if (mRequestURL) {
+    nsCString cUrl = mRequestURL->GetSpecOrDefault();
+    url = NS_ConvertUTF8toUTF16(cUrl);
+  }
+  args.AppendElement(url);
+
+  nsAutoCString requestHeaders;
+  mAuthorRequestHeaders.GetAll(requestHeaders);
+  args.AppendElement(NS_ConvertUTF8toUTF16(requestHeaders));
+
+  nsAutoCString responseHeaders;
+  GetAllResponseHeaders(responseHeaders, aRv);
+  args.AppendElement(NS_ConvertUTF8toUTF16(responseHeaders));
+
+  MarkTaintSource(aResponseText, "XMLHttpRequest.response", args);
 }
 
 void XMLHttpRequestMainThread::GetResponseText(
@@ -4368,4 +4385,14 @@ bool RequestHeaders::CharsetIterator::Next() {
   return true;
 }
 
+void RequestHeaders::GetAll(nsACString& aValue) const {
+  aValue.Truncate();
+  for (const RequestHeaders::RequestHeader& header : mHeaders) {
+    aValue.Append(header.mName);
+    aValue.AppendLiteral(": ");
+    aValue.Append(header.mValue);
+    aValue.AppendLiteral("\r\n");
+  }
+}
+
 }  // namespace mozilla::dom
diff --git a/dom/xhr/XMLHttpRequestMainThread.h b/dom/xhr/XMLHttpRequestMainThread.h
@@ -176,6 +176,10 @@ class RequestHeaders {
   void ApplyToChannel(nsIHttpChannel* aChannel, bool aStripRequestBodyHeader,
                       bool aStripAuth) const;
   void GetCORSUnsafeHeaders(nsTArray<nsCString>& aArray) const;
+
+  // Tainting Helper Function:
+  void GetAll(nsACString& aValue) const;
+
 };
 
 class nsXHRParseEndListener;

diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp
@@ -4805,7 +4805,13 @@ JS_MarkTaintSource(JSContext* cx, JS::MutableHandleValue value, const TaintOpera
 JS_PUBLIC_API TaintOperation
 JS_GetTaintOperation(JSContext* cx, const char* sink, JS::HandleValue arg)
 {
-  return TaintOperationFromContext(cx, sink, false, arg);
+  return TaintOperationFromContext(cx, sink, false, arg, false);
+}
+
+JS_PUBLIC_API TaintOperation
+JS_GetTaintOperationFullArgs(JSContext* cx, const char* sink, JS::HandleValue arg)
+{
+  return TaintOperationFromContext(cx, sink, false, arg, true);
 }
 
 JS_PUBLIC_API TaintOperation
@@ -4863,7 +4869,7 @@ JS_ReportTaintSink(JSContext* cx, JS::HandleString str, const char* sink, JS::Ha
   JS_ReportWarningUTF8(cx, "Tainted flow from %s into %s!", firstRange.flow().source().name(), sink);
 
   // Extend the taint flow to include the sink function
-  str->taint().extend(TaintOperationFromContext(cx, sink, true, arg));
+  str->taint().extend(TaintOperationFromContext(cx, sink, true, arg, true));
 
   // Trigger a custom event that can be caught by an extension.
   // To simplify things, this part is implemented in JavaScript. Since we don't want to recompile

diff --git a/js/src/jsapi.h b/js/src/jsapi.h
@@ -986,6 +986,10 @@ JS_SetStringTaint(JSContext* cx, JSString* str, const StringTaint& taint);
 extern JS_PUBLIC_API TaintOperation
 JS_GetTaintOperation(JSContext* cx, const char* name, JS::HandleValue args);
 
+// Taintfox: Get Taint Operation with no argument length restrictions
+extern JS_PUBLIC_API TaintOperation
+JS_GetTaintOperationFullArgs(JSContext* cx, const char* name, JS::HandleValue args);
+
 // Taintfox: Create new String Taint Location from the context
 extern JS_PUBLIC_API TaintOperation
 JS_GetTaintOperation(JSContext* cx, const char* name);

diff --git a/js/src/jstaint.cpp b/js/src/jstaint.cpp
@@ -142,12 +142,12 @@ std::u16string JS::taintarg(JSContext* cx, HandleObject obj)
   return taintarg(cx, str);
 }
 
-std::u16string JS::taintarg(JSContext* cx, HandleValue val)
+std::u16string JS::taintarg(JSContext* cx, HandleValue val, bool fullArgs)
 {
   RootedString str(cx, ToString(cx, val));
   if (!str)
     return std::u16string();
-  return taintarg(cx, str);
+  return fullArgs ? taintarg_full(cx, str) : taintarg(cx, str);
 }
 
 std::u16string JS::taintarg(JSContext* cx, int32_t num)
@@ -156,7 +156,7 @@ std::u16string JS::taintarg(JSContext* cx, int32_t num)
   return taintarg(cx, val);
 }
 
-std::vector<std::u16string> JS::taintargs(JSContext* cx, HandleValue val)
+std::vector<std::u16string> JS::taintargs(JSContext* cx, HandleValue val, bool fullArgs)
 {
   std::vector<std::u16string> args;
   bool isArray;
@@ -176,7 +176,7 @@ std::vector<std::u16string> JS::taintargs(JSContext* cx, HandleValue val)
       if (!JS_GetElement(cx, array, i, &v)) {
         continue;
       }
-      args.push_back(taintarg(cx, v));
+      args.push_back(taintarg(cx, v, fullArgs));
     }
   } else {
     args.push_back(taintarg(cx, val));
@@ -277,8 +277,8 @@ TaintLocation JS::TaintLocationFromContext(JSContext* cx)
   return TaintLocation(ascii2utf16(std::string(filename)), line, pos, scriptStartline, hash, taintarg(cx, function));
 }
 
-TaintOperation JS::TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleValue args) {
-  return TaintOperation(name, is_native, TaintLocationFromContext(cx), taintargs(cx, args));
+TaintOperation JS::TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleValue args, bool fullArgs) {
+  return TaintOperation(name, is_native, TaintLocationFromContext(cx), taintargs(cx, args, fullArgs));
 }
 
 TaintOperation JS::TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleString arg ) {

diff --git a/js/src/jstaint.h b/js/src/jstaint.h
@@ -41,13 +41,13 @@ std::u16string taintarg_jsstring_full(JSContext* cx, JSString* const& str);
 std::u16string taintarg(JSContext* cx, JS::HandleObject obj);
 
 // Converts a JS value into an argument string for a taint operation.
-std::u16string taintarg(JSContext* cx, JS::HandleValue str);
+std::u16string taintarg(JSContext* cx, JS::HandleValue val, bool fullArgs = false);
 
 // Converts an integer to a taint argument string.
 std::u16string taintarg(JSContext* cx, int32_t num);
 
 // Converts a JS Handle to a taint argument string.
-std::vector<std::u16string> taintargs(JSContext* cx, JS::HandleValue str);
+std::vector<std::u16string> taintargs(JSContext* cx, JS::HandleValue str, bool fullArgs);
 
 std::vector<std::u16string> taintargs(JSContext* cx, JS::HandleString str);
 
@@ -62,11 +62,11 @@ std::string convertDigestToHexString(const TaintMd5& digest);
 // Extracts the current filename, linenumber and function from the JSContext
 TaintLocation TaintLocationFromContext(JSContext* cx);
 
-TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleValue args);
+TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleValue args, bool fullArgs = false);
 
 TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleString arg);
 
-  TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleString arg1, JS::HandleString arg2);
+TaintOperation TaintOperationFromContext(JSContext* cx, const char* name, bool is_native, JS::HandleString arg1, JS::HandleString arg2);
 
 TaintOperation TaintOperationFromContextJSString(JSContext* cx, const char* name, bool is_native, JSString* const& str);