The methods toLowerCase and normalize of String.prototype (see js/src/builtin/String.cpp) internally propagate taint by first extending the taint of the input string and then assigning the taint of the input string to the output string.
This causes the following JavaScript program (we have a similar behavior by replacing toLowerCase with normalize)
let s = String.tainted("hello");
let t = s.toLowerCase();
console.log(s.taint);
to output this (actual)
[{
begin: 0,
end: 5,
flow: [
{ operation: "normalize", ... },
{ operation: "manual taint source", ... }
]
}]
rather than this (expected)
[{
begin: 0,
end: 5,
flow: [
{ operation: "manual taint source", ... }
]
}]
In the next days, I will create a PR with a mochitest and a solution attempt.
The methods toLowerCase and normalize of String.prototype (see js/src/builtin/String.cpp) internally propagate taint by first extending the taint of the input string and then assigning the taint of the input string to the output string.
This causes the following JavaScript program (we have a similar behavior by replacing toLowerCase with normalize)
to output this (actual)
rather than this (expected)
In the next days, I will create a PR with a mochitest and a solution attempt.