Make StructuredClone Taint Aware#275
Conversation
| return printer.release(cx); | ||
| } | ||
|
|
||
| void JS::WriteTaintToJSON(const StringTaint& taint, js::JSONPrinter& json) { |
There was a problem hiding this comment.
Is this function duplicated from the TaintSpew code? If so could we re-use it here?
There was a problem hiding this comment.
It has some changes, but I can unify them to avoid duplication!
|
Hmmm, there are some mochtests failing, but those seem to fail on the main branch as well. When logging the taints that get cloned, I noticed we taint a ton of stuff in the browser chrome. This makes sense, as the chrome is effectively HTML+JS as well, but this is something we might want to discuss. It eats some performance, as creating TaintOperations is fairly costly, and it is unclear to me whether these are flows we are interested in. I will investigate how to detect this and maybe make it configurable. I.e., have a flag to disable taint introduction when running inside the browser's chrome. |
leeN
force-pushed
the
structured_clone_tainting
branch
from
79132fd to
9b699b9
Compare
This change adds taint support to the StructuredClone machinery.
Before, when directly invoking `window.structuredClone()` to copy an object or indirectly, by sending a tainted value via postMessage, the taint was lost.
This adds support to StructuredClone to send tainted values. It works as follows:
Based on the TaintSpew code I extracted a generic method to serialize `StringTaint` objects as JSON. When a tainted String is getting cloned, we detect this and instead send a Tainted String, which essentially attaches a second string, containing the serialized taint object.
On the receiver side, we detect this, deserialize the JSON to a `StringTaint` (the majority of this PR actually) and attach it to the returned string.
IN JS shell this can be tested as follows:
```javascript
o = serialize(String.tainted("foo") + " - " + String.tainted("bar"));
o2 = deserialize(o);
o2.taint
o3 = serialize({k: String.tainted("bar"), kkk: "value"});
o4 = deserialize(o3);
o4.k.taint
```
leeN
force-pushed
the
structured_clone_tainting
branch
from
9b699b9 to
3a7d24f
Compare
2 participants
This change adds taint support to the StructuredClone machinery.
Before, when directly invoking
window.structuredClone()to copy an object or indirectly, by sending a tainted value via postMessage, the taint was lost.This adds support to StructuredClone to send tainted values. It works as follows:
Based on the TaintSpew code I extracted a generic method to serialize
StringTaintobjects as JSON. When a tainted String is getting cloned, we detect this and instead send a Tainted String, which essentially attaches a second string, containing the serialized taint object. On the receiver side, we detect this, deserialize the JSON to aStringTaint(the majority of this PR actually) and attach it to the returned string.IN JS shell this can be tested as follows: