Report taint sink non string #8
Conversation
| JS_ReportTaintSink(cx, sink, arg, number.taint(), value, true); | ||
|
|
||
| } | ||
| else if(value.isObject()){ |
There was a problem hiding this comment.
I see what you want to do here, but this could be fairly spammy. Is this missing a check for taintedness?
There was a problem hiding this comment.
I do agree that it could be pretty spammy going over an object recursively to see if it is tainted. However, I don't see a better way of doing it. The JSObject does not hold a flag to say if it is tainted or not. So, to know if a value inside this object is tainted, we have to go over it recursively. On the bright side, this piece of code will not be called often. Most sinks like XML Http request will automatically convert JSObjects to nsACString before calling the report taint sinks.
Under the hood, XML Http request will take an object and do the equivalent of JSON.Stringify before calling the send function. So from a report taint sink perspective, it will see this as a string not an object and the the recursive code will not be called.
This change is to support the new sink that I have added for MessagePort.postMessage. This is one of the only sinks that sends the JSValue itself instead of the nsACString. For this case, we have to look over the object and check to see if it is tainted or not.
That being I am open to suggestions on how to make this code better. Maybe add a flag to JSObject to keep track if it is tainted or not?
Added the ability to report taint sinks that are not strings. In most cases, even if an object is sent to a sink, it is implicitly transformed into a string before going to the sink. However, there are some cases like messageport sink that send the JSValue itself without implicitly transforming it to a NSString. This PR deals with these cases.