Adding Primitive Tainting

dom/bindings/Codegen.py

@@ -53,12 +53,40 @@
 NEW_ENUMERATE_HOOK_NAME = "_newEnumerate"
 ENUM_ENTRY_VARIABLE_NAME = "strings"
 INSTANCE_RESERVED_SLOTS = 1
+PREFERENCE_PREFIX = "tainting.source."
+
 
 # This size is arbitrary. It is a power of 2 to make using it as a modulo
 # operand cheap, and is usually around 1/3-1/5th of the set size (sometimes
 # smaller for very large sets).
 GLOBAL_NAMES_PHF_SIZE = 256
 
+def format_preference_entry(taintSource):
+    return "%s%s" % (PREFERENCE_PREFIX, taintSource)
+
+def format_preference(taintSource):
+    return (
+        "pref(\"%s\", true);"
+        % (format_preference_entry(taintSource))
+    )
+
+def maybe_add_preference(taintSource):
+    import pathlib
+    root = pathlib.Path(__file__).parent.parent.parent.resolve()
+    prefs = root / 'modules' / 'libpref' / 'init' / 'all.js'
+    prefs = prefs.resolve()
+    if(prefs.exists()):
+        preference_entry = format_preference_entry(taintSource)
+        with prefs.open(mode='r+') as pf:
+            if preference_entry in pf.read():
+                print("%s already defined in %s... Skipping...\n" % (preference_entry, prefs))
+            else:
+                pf.write("%s\n" % (format_preference(taintSource)))
+                print("Added preference '%s' to '%s'..\n" % (preference_entry, prefs))
+        return True
+    else:
+        print("Preference file does not exist: %s!\n"% prefs)
+        return False
 
 def memberReservedSlot(member, descriptor):
     return (
@@ -7740,6 +7768,7 @@ def getWrapTemplateForType(
     exceptionCode,
     spiderMonkeyInterfacesAreStructs,
     isConstructorRetval=False,
+    taintSource=None
 ):
     """
     Reflect a C++ value stored in "result", of IDL type "type" into JS.  The
@@ -7819,6 +7848,19 @@ def _setValue(value, wrapAsType=None, setter="set"):
                 exceptionCode=exceptionCode,
                 successCode=successCode,
             )
+        # Attach taint metadata to the return value if it is a source
+        if taintSource is not None:
+            print("Generating taint source:", taintSource)
+            maybe_add_preference(taintSource)
+            taintHandler = dedent(
+                (
+                    """
+                    // Add taint source
+                    MarkTaintSource(cx, ${jsvalRef}, "%s");
+                    """
+                    % (taintSource))
+            )
+            tail = taintHandler + tail
         return ("${jsvalRef}.%s(%s);\n" % (setter, value)) + tail
 
     def wrapAndSetPtr(wrapCall, failureCode=None):
@@ -7828,16 +7870,32 @@ def wrapAndSetPtr(wrapCall, failureCode=None):
         """
         if failureCode is None:
             failureCode = exceptionCode
+
+        # TaintFox: create source code for tainting wrapped return value
+        markTaintSnippet = ""
+        if taintSource is not None:
+            print("Generating taint source for wrapped value:", taintSource)
+            maybe_add_preference(taintSource)
+            markTaintSnippet = dedent(
+                f"""
+                // Add taint source for wrapped value
+                MarkTaintSource(cx, args.rval(), "{taintSource}");"""
+            )
+
         return fill(
             """
             if (!${wrapCall}) {
               $*{failureCode}
             }
+
+            ${markTaintSnippet}
+
             $*{successCode}
             """,
             wrapCall=wrapCall,
             failureCode=failureCode,
             successCode=successCode,
+            markTaintSnippet=markTaintSnippet,
         )
 
     if type is None or type.isUndefined():
@@ -8259,7 +8317,7 @@ def wrapAndSetPtr(wrapCall, failureCode=None):
         raise TypeError("Need to learn to wrap primitive: %s" % type)
 
 
-def wrapForType(type, descriptorProvider, templateValues):
+def wrapForType(type, descriptorProvider, templateValues, taintSource = None):
     """
     Reflect a C++ value of IDL type "type" into JS.  TemplateValues is a dict
     that should contain:
@@ -8302,6 +8360,7 @@ def wrapForType(type, descriptorProvider, templateValues):
         templateValues.get("exceptionCode", "return false;\n"),
         templateValues.get("spiderMonkeyInterfacesAreStructs", False),
         isConstructorRetval=templateValues.get("isConstructorRetval", False),
+        taintSource=taintSource
     )[0]
 
     defaultValues = {"obj": "obj"}
@@ -9042,6 +9101,10 @@ def __init__(
         self.setSlot = (
             not dontSetSlot and idlNode.isAttr() and idlNode.slotIndices is not None
         )
+
+        # Taintfox: create a label for the taint source
+        self.taintSource = GetLabelForErrorReporting(descriptor, idlNode, isConstructor) if  memberIsTaintSource(self.idlNode) else None
+
         cgThings = []
 
         deprecated = idlNode.getExtendedAttribute("Deprecated") or (
@@ -9542,7 +9605,7 @@ def wrap_return_value(self):
             "obj": "conversionScope" if self.setSlot else "obj",
         }
 
-        wrapCode += wrapForType(self.returnType, self.descriptor, resultTemplateValues)
+        wrapCode += wrapForType(self.returnType, self.descriptor, resultTemplateValues, self.taintSource)
 
         if self.setSlot:
             if self.idlNode.isStatic():
@@ -11015,6 +11078,11 @@ def __init__(
         errorReportingLabel=None,
         additionalArg=None,
     ):
+
+        # TaintFox: Check if return value should de marked as taint source and
+        # get name for taint source if needed
+        self.taintSource = errorReportingLabel if  memberIsTaintSource(attr) else None
+
         self.nativeName = nativeName
         self.errorReportingLabel = errorReportingLabel
         self.additionalArgs = [] if additionalArg is None else [additionalArg]
@@ -11147,6 +11215,18 @@ def definition_body(self):
                     slotIndex=memberReservedSlot(self.attr, self.descriptor),
                 )
 
+            # TaintFox: create source code for tainting cached return value
+            markTaintSnippet = ""
+            if self.taintSource is not None:
+                print("Generating taint source for cached value:", self.taintSource)
+                maybe_add_preference(self.taintSource)
+                markTaintSnippet = dedent(
+                    f"""
+                    // Add taint source for cached value
+                    MarkTaintSource(cx, args.rval(), "{self.taintSource}");"""
+                )
+
+
             prefix += fill(
                 """
                 MOZ_ASSERT(JSCLASS_RESERVED_SLOTS(JS::GetClass(slotStorage)) > slotIndex);
@@ -11155,13 +11235,17 @@ def definition_body(self):
                   JS::Value cachedVal = JS::GetReservedSlot(slotStorage, slotIndex);
                   if (!cachedVal.isUndefined()) {
                     args.rval().set(cachedVal);
+
+                    ${markTaintSnippet}
+
                     // The cached value is in the compartment of slotStorage,
                     // so wrap into the caller compartment as needed.
                     return ${maybeWrap}(cx, args.rval());
                   }
                 }
 
                 """,
+                markTaintSnippet=markTaintSnippet,
                 maybeWrap=getMaybeWrapValueFuncForType(self.attr.type),
             )
 
@@ -11743,6 +11827,9 @@ def error_reporting_label(self):
 def memberReturnsNewObject(member):
     return member.getExtendedAttribute("NewObject") is not None
 
+def memberIsTaintSource(member):
+    # Taintfox: check if this function is marked as a taint source:
+    return member.getExtendedAttribute("TaintSource") is not None
 
 class CGMemberJITInfo(CGThing):
     """
@@ -19035,9 +19122,19 @@ def descriptorClearsPropsInSlots(descriptor):
                 for m in descriptor.interface.members
             )
 
+        def hasAtLeastOneTaintsource(descriptor):
+            return any(
+                (m.isAttr() or m.isMethod()) and m.getExtendedAttribute("TaintSource")
+                for m in descriptor.interface.members
+            )
+
         bindingHeaders["nsJSUtils.h"] = any(
             descriptorClearsPropsInSlots(d) for d in descriptors
         )
+
+        bindingHeaders["nsTaintingUtils.h"] = any(
+            hasAtLeastOneTaintsource(d) for d in descriptors
+        )
 
         # Make sure we can sanely use binding_detail in generated code.
         cgthings = [

dom/bindings/parser/WebIDL.py

@@ -5722,6 +5722,7 @@ def handleExtendedAttribute(self, attr):
             or identifier == "BinaryName"
             or identifier == "NonEnumerable"
             or identifier == "BindingTemplate"
+            or identifier == "TaintSource"  # Taintfox added
         ):
             # Known attributes that we don't need to do anything with here
             pass
@@ -6743,6 +6744,7 @@ def handleExtendedAttribute(self, attr):
             or identifier == "NonEnumerable"
             or identifier == "Unexposed"
             or identifier == "WebExtensionStub"
+            or identifier == "TaintSource"  # Taintfox added
         ):
             # Known attributes that we don't need to do anything with here
             pass

dom/webidl/AudioContext.webidl

@@ -25,7 +25,9 @@ interface AudioContext : BaseAudioContext {
     [Throws]
     constructor(optional AudioContextOptions contextOptions = {});
 
+    [TaintSource]
     readonly        attribute double               baseLatency;
+    [TaintSource]
     readonly        attribute double               outputLatency;
     AudioTimestamp                  getOutputTimestamp();
 

dom/webidl/AudioDestinationNode.webidl

@@ -14,6 +14,7 @@
  Exposed=Window]
 interface AudioDestinationNode : AudioNode {
 
+    [TaintSource]
     readonly attribute unsigned long maxChannelCount;
 
 };

dom/webidl/AudioNode.webidl

@@ -51,11 +51,13 @@ interface AudioNode : EventTarget {
     undefined disconnect(AudioParam destination, unsigned long output);
 
     readonly attribute BaseAudioContext context;
+    [TaintSource]
     readonly attribute unsigned long numberOfInputs;
+    [TaintSource]
     readonly attribute unsigned long numberOfOutputs;
 
     // Channel up-mixing and down-mixing rules for all inputs.
-    [SetterThrows]
+    [SetterThrows, TaintSource]
     attribute unsigned long channelCount;
     [SetterThrows, BinaryName="channelCountModeValue"]
     attribute ChannelCountMode channelCountMode;

dom/webidl/BaseAudioContext.webidl

@@ -22,7 +22,9 @@ enum AudioContextState {
 [Exposed=Window]
 interface BaseAudioContext : EventTarget {
     readonly        attribute AudioDestinationNode destination;
+    [TaintSource]
     readonly        attribute float                sampleRate;
+    [TaintSource]
     readonly        attribute double               currentTime;
     readonly        attribute AudioListener        listener;
     readonly        attribute AudioContextState    state;

dom/webidl/HTMLCanvasElement.webidl

@@ -26,7 +26,7 @@ interface HTMLCanvasElement : HTMLElement {
   [Throws]
   nsISupports? getContext(DOMString contextId, optional any contextOptions = null);
 
-  [Throws, NeedsSubjectPrincipal]
+  [Throws, NeedsSubjectPrincipal, TaintSource]
   DOMString toDataURL(optional DOMString type = "",
                       optional any encoderOptions);
   [Throws, NeedsSubjectPrincipal]

dom/webidl/HTMLElement.webidl

@@ -89,7 +89,9 @@ partial interface HTMLElement {
   readonly attribute Element? offsetParent;
   readonly attribute long offsetTop;
   readonly attribute long offsetLeft;
+  [TaintSource]
   readonly attribute long offsetWidth;
+  [TaintSource]
   readonly attribute long offsetHeight;
 };
 

dom/webidl/History.webidl

@@ -15,7 +15,7 @@ enum ScrollRestoration { "auto", "manual" };
 
 [Exposed=Window]
 interface History {
-  [Throws]
+  [Throws, TaintSource]
   readonly attribute unsigned long length;
   [Throws]
   attribute ScrollRestoration scrollRestoration;

dom/webidl/MediaDeviceInfo.webidl

@@ -16,9 +16,13 @@ enum MediaDeviceKind {
 [Func="Navigator::HasUserMediaSupport",
  Exposed=Window]
 interface MediaDeviceInfo {
+  [TaintSource]
   readonly attribute DOMString       deviceId;
+  [TaintSource]
   readonly attribute MediaDeviceKind kind;
+  [TaintSource]
   readonly attribute DOMString       label;
+  [TaintSource]
   readonly attribute DOMString       groupId;
 
   [Default] object toJSON();

dom/webidl/MimeType.webidl

@@ -6,8 +6,11 @@
 
 [Exposed=Window]
 interface MimeType {
+  [TaintSource]
   readonly attribute DOMString type;
+  [TaintSource]
   readonly attribute DOMString description;
+  [TaintSource]
   readonly attribute DOMString suffixes;
   readonly attribute Plugin enabledPlugin;
 };