Losing taints when using URLSearchParams

[leeN]

Proof of Concept code:

var params = "q=URLUtils." + String.tainted("searchParams") + "&"+ String.tainted("topic") + "=api";
let searchParams = new URLSearchParams(params);
for (let p of searchParams) {
  var key = p[0];
  var value = p[1];
  // Key should be tainted in first run
  // Value should be tainted in second run
}

[tmbrbr]

I though this had already been implemented, but it looks like the functionality got lost somewhere 😄

Need to make https://github.com/SAP/project-foxhound/blob/main/dom/url/URLSearchParams.cpp#L65 taint-aware.

[tmbrbr]

Digging around more, it seems that the values are tainted correctly, but the keys are not.

var params = "q=URLUtils." + String.tainted("searchParams") + "&"+ String.tainted("topic") + "=api";
searchParams = new URLSearchParams(params);
for (let p of searchParams) {
  var key = p[0];
  var value = p[1];
  console.info(key, key.taint)
  console.info(value, value.taint)
}

Gives:

q Array []
URLUtils.searchParams Array [ {…} ]
topic Array []
api Array []

where we would expect topic to also be tainted.

[tmbrbr]

Fixed in #39