When a string has multiple taint flows (e.g., as a result of a concatenation of tainted strings), and then that string gets JSON.stringify-ed, the taint range assignment for the resulting string is incorrect.
For example, consider the following code:
let s1 = String.tainted('abcd', 't1') + String.tainted('efgh', 't2'); // 'abcdefgh'
let s2 = s1.substring(2, 6); // 'bcde'
let s3 = JSON.stringify(s2); // '"bcde"'
s3.taint
Expected:
[
{ begin: 1, end: 3, flow: [..., { operation: 't1', ... }] },
{ begin: 3, end: 5, flow: [..., { operation: 't2', ... }] }
]
Actual:
[
{ begin: 1, end: 3, flow: [..., { operation: 't1', ... }] },
{ begin: 4, end: 5, flow: [..., { operation: 't2', ... }] }
]
When a string has multiple taint flows (e.g., as a result of a concatenation of tainted strings), and then that string gets JSON.stringify-ed, the taint range assignment for the resulting string is incorrect.
For example, consider the following code:
Expected:
Actual: