Fix location property for taint operations (fixes #321)#343
Conversation
|
Hi, sorry for the long delay. There seem to be some merge conflicts. Do you have any capacity to look into those? Based on the mochitests, the PR looks good to me, and we'd prefer to merge it before we have to do the great switchover to the original Mozilla upstream. |
|
Probably that's just a matter of rebasing and solving conflicts, I can do it within the day. Also, I would like to spend a bit of time to understand how to use the built-in JSON library in place of the third-party one. |
|
Hi, I just had a call with @tmbrbr, and our conclusion was that if you can resolve the merge issues by Friday, we're happy to merge this PR Afterwards, we will do a big rebase, as Firefox switched from Mercurial to Git and every Git commit hash changed, i.e., existing PRs require work on every end, we'd ask you to split out the native JSON stuff until we do the big rebase, or get it done by Friday, if it's easy. We're okay with including the external JSON library until it's clear whether we need it, but every open PR is work on our (or your) end after the rebase, so just fixing the merge issues and we can merge it before Friday sounds best to us. This gives you time to mess around with native JSON and does not put much time pressure on you. |
|
In the end I've managed to rebase with the latest main, now this PR should merge and Foxhound build. Instead, I haven't managed to replace the external JSON library with the built-in one, I can retry it after the big rebase. Remarkably, I've noticed that nlohmann/json was already included somewhere in the Firefox source (see https://github.com/SAP/project-foxhound/blob/main/intl/icu/source/tools/toolutil/json-json.hpp). My only concern is about the JS Rooting Hazards Analysis failing due to a missing model. |
In this pull request, we propose a solution for the empty taint location issue involving
XMLHttpRequest.response, or better, string literals in dynamically evaluated tainted scripts. Moreover, we fix empty taint locations forfetch.text()andfetch.json()taint operations, including those inJSON.parsetaint operations. Hence, this pull request fixes #321.First, we add nlohmann/json (taint/json.hpp), a popular and maintained library for JSON parsing and serialization. We decided to add it because Firefox internals only provide JSONWriter, not JSONReader, and the JSON features provided by the JS engine require a JSContext*. Update: we discovered that it is possible to instantiate an ad-hoc JSContext* for JSON parsing and serialization, however we maintained the implementation from #338.
Then, in Taint.h we declare the functions
ParseStringTaintandSerializeStringTaintto parse and serialize, respectively, the whole StringTaint data structure as a simplified JSON string. Their implementation in Taint.cpp is based on nlohmann/json.Finally, in Taint.h we replace the functions
ParseTaintwithParseStringTaintForE2EandserializeStringtaintwithSerializeStringTaintForE2Efor the end-to-end tainting. We rewrite the functions using nlohmann/json and thus discarding the custom JSON parser, while preserving the expected behavior of these functions.To fix empty taint locations for
fetch.text()andfetch.json()taint operations, we add an additional attribute to the JSContext struct, that we callfallbackTaintLocation. On TaintLocationFromContext, if it is not possible to create the TaintLocation from the given context, we get it from the fallbackTaintLocation. In this pull request, fallbackTaintLocation is set in the main thread, before BodyConsumer created by fetch logic is executed in another thread.Other
TaintOperation::sourceandTaintOperation::native.Differences from #338
fetch.text()andfetch.json()taint operations.