-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
https://bugs.webkit.org/show_bug.cgi?id=242537 rdar://83222586 Reviewed by Yusuke Suzuki. This patch adds the core structure of what's needed to do taintedness tracking in JSC. This allows us to track tainted code even through eval assuming there isn't support from untainted code. In order to maintain performance of untainted code we add a bit to the VM which tells us if tainted code has run this event loop turn. This allows checkers of taintedness to skip a stack walk in the common case where there's no tainted code running. * JSTests/stress/taintedness-tracking-inlining.js: Added. (foo): (setTimeout): * JSTests/stress/taintedness-tracking.js: Added. (check): (callArg): (Promise.resolve.then): (setTimeout): (let.evalFunc.vm.runTaintedString): (setTimeout.globalThis.foo.set bar): * LayoutTests/js/taintedness-innerhtml-expected.txt: Added. * LayoutTests/js/taintedness-innerhtml.html: Added. * LayoutTests/js/taintedness-settimeout-expected.txt: Added. * LayoutTests/js/taintedness-settimeout.html: Added. * Source/JavaScriptCore/API/JSBase.cpp: (JSEvaluateScript): (JSCheckScriptSyntax): * Source/JavaScriptCore/API/JSObjectRef.cpp: (JSObjectMakeFunction): * Source/JavaScriptCore/API/JSScript.mm: (-[JSScript sourceCode]): * Source/JavaScriptCore/API/JSScriptRef.cpp: * Source/JavaScriptCore/API/glib/JSCContext.cpp: (jsc_context_check_syntax): * Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj: * Source/JavaScriptCore/Scripts/wkbuiltins/builtins_templates.py: (BuiltinsGeneratorTemplates): * Source/JavaScriptCore/Sources.txt: * Source/JavaScriptCore/builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::BuiltinExecutables): (JSC::BuiltinExecutables::defaultConstructorSourceCode): * Source/JavaScriptCore/bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * Source/JavaScriptCore/bytecode/CodeBlock.h: (JSC::CodeBlock::couldBeTainted const): * Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::evaluateWithScopeExtension): * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::inliningCost): * Source/JavaScriptCore/dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileEntry): * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * Source/JavaScriptCore/inspector/InjectedScriptManager.cpp: * Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension): * Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::InspectorRuntimeAgent::parse): * Source/JavaScriptCore/interpreter/Interpreter.cpp: (JSC::eval): (JSC::Interpreter::executeProgram): * Source/JavaScriptCore/interpreter/Interpreter.h: * Source/JavaScriptCore/jit/JITOpcodes.cpp: (JSC::JIT::emit_op_enter): * Source/JavaScriptCore/jsc.cpp: (GlobalObject::moduleLoaderFetch): (JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/parser/SourceCode.h: (JSC::makeSource): * Source/JavaScriptCore/parser/SourceProvider.cpp: (JSC::SourceProvider::SourceProvider): (JSC::BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider): * Source/JavaScriptCore/parser/SourceProvider.h: (JSC::SourceProvider::setSourceTaintedOrigin): (JSC::SourceProvider::sourceTaintedOrigin const): (JSC::SourceProvider::couldBeTainted const): (JSC::StringSourceProvider::create): (JSC::StringSourceProvider::StringSourceProvider): * Source/JavaScriptCore/parser/SourceTaintedOrigin.cpp: Added. (JSC::sourceTaintedOriginToString): (JSC::sourceTaintedOriginFromStack): (JSC::computeNewSourceTaintedOriginFromStack): * Source/JavaScriptCore/parser/SourceTaintedOrigin.h: Added. (JSC::taintednessToTriState): * Source/JavaScriptCore/runtime/CachedTypes.cpp: (JSC::CachedSourceProviderShape::encode): (JSC::CachedSourceProviderShape::decode const): (JSC::CachedStringSourceProvider::decode const): * Source/JavaScriptCore/runtime/CommonSlowPaths.cpp: (JSC::JSC_DEFINE_COMMON_SLOW_PATH): * Source/JavaScriptCore/runtime/Forward.h: * Source/JavaScriptCore/runtime/FunctionConstructor.cpp: (JSC::constructFunction): (JSC::constructFunctionSkippingEvalEnabledCheck): * Source/JavaScriptCore/runtime/FunctionConstructor.h: * Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/VM.h: (JSC::VM::mightBeExecutingTaintedCode const): (JSC::VM::addressOfMightBeExecutingTaintedCode): (JSC::VM::setMightBeExecutingTaintedCode): (JSC::VM::finalizeSynchronousJSExecution): * Source/JavaScriptCore/tools/FunctionOverrides.cpp: (JSC::initializeOverrideInfo): * Source/JavaScriptCore/tools/JSDollarVM.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): (JSC::JSDollarVM::finishCreation): * Source/WebCore/bindings/js/CachedScriptSourceProvider.h: (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider): * Source/WebCore/bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::JSLazyEventListener): (WebCore::JSLazyEventListener::initializeJSFunction const): * Source/WebCore/bindings/js/JSLazyEventListener.h: * Source/WebCore/bindings/js/RunJavaScriptParameters.h: (WebCore::RunJavaScriptParameters::RunJavaScriptParameters): (WebCore::RunJavaScriptParameters::encode const): (WebCore::RunJavaScriptParameters::decode): * Source/WebCore/bindings/js/ScheduledAction.cpp: (WebCore::ScheduledAction::ScheduledAction): (WebCore::ScheduledAction::execute): * Source/WebCore/bindings/js/ScheduledAction.h: * Source/WebCore/bindings/js/ScriptBufferSourceProvider.h: * Source/WebCore/bindings/js/ScriptController.cpp: (WebCore::ScriptController::executeScriptIgnoringException): (WebCore::ScriptController::executeScriptInWorldIgnoringException): (WebCore::ScriptController::executeScriptInWorld): (WebCore::ScriptController::callInWorld): (WebCore::ScriptController::executeUserAgentScriptInWorld): (WebCore::ScriptController::executeJavaScriptURL): * Source/WebCore/bindings/js/ScriptController.h: * Source/WebCore/bindings/js/ScriptSourceCode.h: (WebCore::ScriptSourceCode::ScriptSourceCode): * Source/WebCore/bridge/objc/WebScriptObject.mm: (-[WebScriptObject evaluateWebScript:]): * Source/WebCore/contentextensions/ContentExtensionsBackend.cpp: (WebCore::ContentExtensions::ContentExtensionsBackend::processContentRuleListsForLoad): * Source/WebCore/css/DOMCSSPaintWorklet.cpp: (WebCore::PaintWorklet::addModule): * Source/WebCore/dom/Document.cpp: (WebCore::Document::ensurePlugInsInjectedScript): * Source/WebCore/dom/ScriptElement.cpp: (WebCore::ScriptElement::ScriptElement): (WebCore::ScriptElement::prepareScript): (WebCore::ScriptElement::requestModuleScript): (WebCore::ScriptElement::executePendingScript): * Source/WebCore/dom/ScriptElement.h: (WebCore::ScriptElement::sourceTaintedOrigin const): * Source/WebCore/html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::ensureMediaControls): * Source/WebCore/html/parser/HTMLScriptRunner.cpp: (WebCore::HTMLScriptRunner::runScript): * Source/WebCore/inspector/InspectorFrontendAPIDispatcher.cpp: (WebCore::InspectorFrontendAPIDispatcher::evaluateExpression): * Source/WebCore/inspector/InspectorFrontendHost.cpp: (WebCore::InspectorFrontendHost::evaluateScriptInExtensionTab): * Source/WebCore/inspector/agents/InspectorPageAgent.cpp: (WebCore::InspectorPageAgent::didClearWindowObjectInWorld): * Source/WebCore/loader/DocumentLoader.cpp: (WebCore::DocumentLoader::handleContentFilterDidBlock): * Source/WebCore/page/LocalFrame.cpp: (WebCore::LocalFrame::injectUserScriptImmediately): * Source/WebCore/testing/Internals.cpp: (WebCore::Internals::evaluateInWorldIgnoringException): * Source/WebCore/xml/XMLTreeViewer.cpp: (WebCore::XMLTreeViewer::transformDocumentToTreeView): * Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp: (WebCore::XMLDocumentParser::endElementNs): * Source/WebKit/DerivedSources-output.xcfilelist: * Source/WebKit/UIProcess/API/C/WKPage.cpp: (WKPageRunJavaScriptInMainFrame): * Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm: (-[WKWebView _evaluateJavaScript:asAsyncFunction:withSourceURL:withArguments:forceUserGesture:inFrame:inWorld:completionHandler:]): * Source/WebKitLegacy/mac/WebView/WebFrame.mm: (-[WebFrame _stringByEvaluatingJavaScriptFromString:forceUserGesture:]): * Source/WebKitLegacy/mac/WebView/WebView.mm: (-[WebView aeDescByEvaluatingJavaScriptFromString:]): Canonical link: https://commits.webkit.org/267765@main
- Loading branch information
Showing
77 changed files
with
598 additions
and
114 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
//@ requireOptions("--forceDiskCache=0") | ||
// $vm doesn't have a source provider that can cache to disk. Skip that testing configuration. | ||
|
||
$vm.runTaintedString("function taintedFunc() { return $vm.vmTaintedState(); }"); | ||
|
||
function foo() { | ||
return taintedFunc(); | ||
} | ||
noInline(foo); | ||
|
||
for (let i = 0; i < 1e5; ++i) { | ||
let state = foo(); | ||
if (state !== "KnownTainted") | ||
throw new Error(state); | ||
} | ||
|
||
setTimeout(() => { | ||
let state = foo(); | ||
if (state !== "KnownTainted") | ||
throw new Error(state); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
//@ requireOptions("--forceDiskCache=0") | ||
// $vm doesn't have a source provider that can cache to disk. Skip that testing configuration. | ||
|
||
function check(expected, state = $vm.vmTaintedState()) { | ||
if (expected != state) | ||
throw new Error("Expected " + expected + " but state was " + state); | ||
|
||
} | ||
|
||
check("Untainted"); | ||
|
||
function callArg(foo) { return foo(); } | ||
let state = callArg($vm.vmTaintedState) | ||
check("Untainted", state); | ||
|
||
state = $vm.runTaintedString("function taintedFunc() { return $vm.vmTaintedState(); } $vm.vmTaintedState()"); | ||
check("KnownTainted", state); | ||
check("IndirectlyTaintedByHistory"); | ||
|
||
let func = Function("return $vm.vmTaintedState();"); | ||
|
||
Promise.resolve().then(() => { | ||
check("IndirectlyTaintedByHistory"); | ||
}); | ||
|
||
setTimeout(() => { | ||
check("Untainted"); | ||
state = func(); | ||
check("IndirectlyTaintedByHistory", state); | ||
check("IndirectlyTaintedByHistory"); | ||
}); | ||
|
||
setTimeout(() => { | ||
state = taintedFunc(); | ||
check("KnownTainted", state); | ||
check("IndirectlyTaintedByHistory"); | ||
}); | ||
|
||
let evalFunc = $vm.runTaintedString(`(function() { | ||
return eval("Function('return $vm.vmTaintedState();')"); | ||
})`); | ||
|
||
setTimeout(() => { | ||
let func = evalFunc(); | ||
setTimeout(() => { | ||
check("IndirectlyTainted", func()); | ||
}); | ||
}); | ||
|
||
setTimeout(() => { | ||
// Test JSONP code paths, which can create code via setters. | ||
check("Untainted"); | ||
globalThis.foo = { set bar(value) { this.baz = eval(value); }} | ||
$vm.runTaintedString("foo.bar = '(function() { return $vm.vmTaintedState(); })'"); | ||
check("IndirectlyTaintedByHistory"); | ||
setTimeout(() => { | ||
check("Untainted"); | ||
state = foo.baz(); | ||
check("IndirectlyTainted", state); | ||
check("IndirectlyTaintedByHistory"); | ||
}) | ||
}); | ||
|
||
setTimeout(() => { | ||
state = $vm.runTaintedString("callArg($vm.vmTaintedState)"); | ||
check("KnownTainted", state); | ||
}); | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
Test taintedness is tracked via several ways to inject scripts in WebCore | ||
|
||
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". | ||
|
||
|
||
PASS $vm.vmTaintedState() is "Untainted" | ||
PASS $vm.vmTaintedState() is "KnownTainted" | ||
PASS $vm.vmTaintedState() is "Untainted" | ||
PASS $vm.vmTaintedState() is "IndirectlyTainted" | ||
PASS $vm.vmTaintedState() is "IndirectlyTainted" | ||
PASS successfullyParsed is true | ||
|
||
TEST COMPLETE | ||
; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
<!DOCTYPE html><!-- webkit-test-runner [ jscOptions=--useDollarVM=true ] --> | ||
<html> | ||
<head> | ||
<script src="../resources/js-test.js"></script> | ||
</head> | ||
<body> | ||
<div id="foo"></div> | ||
<script> | ||
description("Test taintedness is tracked via several ways to inject scripts in WebCore"); | ||
// jsTestIsAsync = true; | ||
|
||
|
||
let foo = document.getElementById("foo"); | ||
|
||
shouldBeKnownTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'KnownTainted\\')"; | ||
shouldBeIndirectlyTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTainted\\')"; | ||
shouldBeIndirectlyTaintedByHistoryString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTaintedByHistory\\')"; | ||
// state is IndirectlyTainted because the function itself is created in the innerHTML function not the runTaintedString call and we don't have a JS frame on the stack for taintedness tracking as this is executed as JSONP. | ||
$vm.runTaintedString(` | ||
foo.innerHTML = '<img src="x" onerror="${shouldBeIndirectlyTaintedString}" />;'; | ||
`); | ||
|
||
setTimeout(() => { | ||
shouldBeEqualToString("$vm.vmTaintedState()", "Untainted"); | ||
$vm.runTaintedString(` | ||
let some_script = document.createElement("script"); | ||
some_script.type = "text/javascript"; | ||
some_script.text = "${shouldBeKnownTaintedString}"; | ||
document.body.appendChild(some_script); | ||
`); | ||
}); | ||
|
||
setTimeout(() => { | ||
shouldBeEqualToString("$vm.vmTaintedState()", "Untainted"); | ||
$vm.runTaintedString(` | ||
globalThis.some_script = document.createElement("script"); | ||
globalThis.some_script.type = "text/javascript"; | ||
globalThis.some_script.text = "${shouldBeIndirectlyTaintedString}"; | ||
`); | ||
document.body.appendChild(globalThis.some_script); | ||
}); | ||
|
||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
Test taintedness is tracked via several ways to inject scripts in WebCore | ||
|
||
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". | ||
|
||
|
||
PASS $vm.vmTaintedState() is "IndirectlyTainted" | ||
PASS $vm.vmTaintedState() is "IndirectlyTaintedByHistory" | ||
PASS successfullyParsed is true | ||
|
||
TEST COMPLETE | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
<!DOCTYPE html><!-- webkit-test-runner [ jscOptions=--useDollarVM=true ] --> | ||
<html> | ||
<head> | ||
<script src="../resources/js-test.js"></script> | ||
</head> | ||
<body> | ||
<div id="foo"></div> | ||
<script> | ||
description("Test taintedness is tracked via several ways to inject scripts in WebCore"); | ||
// jsTestIsAsync = true; | ||
|
||
window.jsTestIsAsync = true; | ||
|
||
let foo = document.getElementById("foo"); | ||
|
||
shouldBeIndirectlyTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTainted\\')"; | ||
shouldBeIndirectlyTaintedByHistoryString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTaintedByHistory\\')"; | ||
|
||
function checkFromOuterScript() { | ||
shouldBeEqualToString("$vm.vmTaintedState()", "IndirectlyTaintedByHistory"); | ||
finishJSTest(); | ||
} | ||
$vm.runTaintedString(` | ||
setTimeout(\` | ||
// IndirectlyTainted because this code is created by the setTimeout function. | ||
shouldBeEqualToString("$vm.vmTaintedState()", "IndirectlyTainted"); | ||
Promise.resolve().then(checkFromOuterScript); | ||
42 + 0; | ||
\`, 0); | ||
`); | ||
|
||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.