Add taintedness tracking to JSC

https://bugs.webkit.org/show_bug.cgi?id=242537 rdar://83222586 Reviewed by Yusuke Suzuki. This patch adds the core structure of what's needed to do taintedness tracking in JSC. This allows us to track tainted code even through eval assuming there isn't support from untainted code. In order to maintain performance of untainted code we add a bit to the VM which tells us if tainted code has run this event loop turn. This allows checkers of taintedness to skip a stack walk in the common case where there's no tainted code running. * JSTests/stress/taintedness-tracking-inlining.js: Added. (foo): (setTimeout): * JSTests/stress/taintedness-tracking.js: Added. (check): (callArg): (Promise.resolve.then): (setTimeout): (let.evalFunc.vm.runTaintedString): (setTimeout.globalThis.foo.set bar): * LayoutTests/js/taintedness-innerhtml-expected.txt: Added. * LayoutTests/js/taintedness-innerhtml.html: Added. * LayoutTests/js/taintedness-settimeout-expected.txt: Added. * LayoutTests/js/taintedness-settimeout.html: Added. * Source/JavaScriptCore/API/JSBase.cpp: (JSEvaluateScript): (JSCheckScriptSyntax): * Source/JavaScriptCore/API/JSObjectRef.cpp: (JSObjectMakeFunction): * Source/JavaScriptCore/API/JSScript.mm: (-[JSScript sourceCode]): * Source/JavaScriptCore/API/JSScriptRef.cpp: * Source/JavaScriptCore/API/glib/JSCContext.cpp: (jsc_context_check_syntax): * Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj: * Source/JavaScriptCore/Scripts/wkbuiltins/builtins_templates.py: (BuiltinsGeneratorTemplates): * Source/JavaScriptCore/Sources.txt: * Source/JavaScriptCore/builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::BuiltinExecutables): (JSC::BuiltinExecutables::defaultConstructorSourceCode): * Source/JavaScriptCore/bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * Source/JavaScriptCore/bytecode/CodeBlock.h: (JSC::CodeBlock::couldBeTainted const): * Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::evaluateWithScopeExtension): * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::inliningCost): * Source/JavaScriptCore/dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileEntry): * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * Source/JavaScriptCore/inspector/InjectedScriptManager.cpp: * Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension): * Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::InspectorRuntimeAgent::parse): * Source/JavaScriptCore/interpreter/Interpreter.cpp: (JSC::eval): (JSC::Interpreter::executeProgram): * Source/JavaScriptCore/interpreter/Interpreter.h: * Source/JavaScriptCore/jit/JITOpcodes.cpp: (JSC::JIT::emit_op_enter): * Source/JavaScriptCore/jsc.cpp: (GlobalObject::moduleLoaderFetch): (JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/parser/SourceCode.h: (JSC::makeSource): * Source/JavaScriptCore/parser/SourceProvider.cpp: (JSC::SourceProvider::SourceProvider): (JSC::BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider): * Source/JavaScriptCore/parser/SourceProvider.h: (JSC::SourceProvider::setSourceTaintedOrigin): (JSC::SourceProvider::sourceTaintedOrigin const): (JSC::SourceProvider::couldBeTainted const): (JSC::StringSourceProvider::create): (JSC::StringSourceProvider::StringSourceProvider): * Source/JavaScriptCore/parser/SourceTaintedOrigin.cpp: Added. (JSC::sourceTaintedOriginToString): (JSC::sourceTaintedOriginFromStack): (JSC::computeNewSourceTaintedOriginFromStack): * Source/JavaScriptCore/parser/SourceTaintedOrigin.h: Added. (JSC::taintednessToTriState): * Source/JavaScriptCore/runtime/CachedTypes.cpp: (JSC::CachedSourceProviderShape::encode): (JSC::CachedSourceProviderShape::decode const): (JSC::CachedStringSourceProvider::decode const): * Source/JavaScriptCore/runtime/CommonSlowPaths.cpp: (JSC::JSC_DEFINE_COMMON_SLOW_PATH): * Source/JavaScriptCore/runtime/Forward.h: * Source/JavaScriptCore/runtime/FunctionConstructor.cpp: (JSC::constructFunction): (JSC::constructFunctionSkippingEvalEnabledCheck): * Source/JavaScriptCore/runtime/FunctionConstructor.h: * Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/VM.h: (JSC::VM::mightBeExecutingTaintedCode const): (JSC::VM::addressOfMightBeExecutingTaintedCode): (JSC::VM::setMightBeExecutingTaintedCode): (JSC::VM::finalizeSynchronousJSExecution): * Source/JavaScriptCore/tools/FunctionOverrides.cpp: (JSC::initializeOverrideInfo): * Source/JavaScriptCore/tools/JSDollarVM.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): (JSC::JSDollarVM::finishCreation): * Source/WebCore/bindings/js/CachedScriptSourceProvider.h: (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider): * Source/WebCore/bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::JSLazyEventListener): (WebCore::JSLazyEventListener::initializeJSFunction const): * Source/WebCore/bindings/js/JSLazyEventListener.h: * Source/WebCore/bindings/js/RunJavaScriptParameters.h: (WebCore::RunJavaScriptParameters::RunJavaScriptParameters): (WebCore::RunJavaScriptParameters::encode const): (WebCore::RunJavaScriptParameters::decode): * Source/WebCore/bindings/js/ScheduledAction.cpp: (WebCore::ScheduledAction::ScheduledAction): (WebCore::ScheduledAction::execute): * Source/WebCore/bindings/js/ScheduledAction.h: * Source/WebCore/bindings/js/ScriptBufferSourceProvider.h: * Source/WebCore/bindings/js/ScriptController.cpp: (WebCore::ScriptController::executeScriptIgnoringException): (WebCore::ScriptController::executeScriptInWorldIgnoringException): (WebCore::ScriptController::executeScriptInWorld): (WebCore::ScriptController::callInWorld): (WebCore::ScriptController::executeUserAgentScriptInWorld): (WebCore::ScriptController::executeJavaScriptURL): * Source/WebCore/bindings/js/ScriptController.h: * Source/WebCore/bindings/js/ScriptSourceCode.h: (WebCore::ScriptSourceCode::ScriptSourceCode): * Source/WebCore/bridge/objc/WebScriptObject.mm: (-[WebScriptObject evaluateWebScript:]): * Source/WebCore/contentextensions/ContentExtensionsBackend.cpp: (WebCore::ContentExtensions::ContentExtensionsBackend::processContentRuleListsForLoad): * Source/WebCore/css/DOMCSSPaintWorklet.cpp: (WebCore::PaintWorklet::addModule): * Source/WebCore/dom/Document.cpp: (WebCore::Document::ensurePlugInsInjectedScript): * Source/WebCore/dom/ScriptElement.cpp: (WebCore::ScriptElement::ScriptElement): (WebCore::ScriptElement::prepareScript): (WebCore::ScriptElement::requestModuleScript): (WebCore::ScriptElement::executePendingScript): * Source/WebCore/dom/ScriptElement.h: (WebCore::ScriptElement::sourceTaintedOrigin const): * Source/WebCore/html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::ensureMediaControls): * Source/WebCore/html/parser/HTMLScriptRunner.cpp: (WebCore::HTMLScriptRunner::runScript): * Source/WebCore/inspector/InspectorFrontendAPIDispatcher.cpp: (WebCore::InspectorFrontendAPIDispatcher::evaluateExpression): * Source/WebCore/inspector/InspectorFrontendHost.cpp: (WebCore::InspectorFrontendHost::evaluateScriptInExtensionTab): * Source/WebCore/inspector/agents/InspectorPageAgent.cpp: (WebCore::InspectorPageAgent::didClearWindowObjectInWorld): * Source/WebCore/loader/DocumentLoader.cpp: (WebCore::DocumentLoader::handleContentFilterDidBlock): * Source/WebCore/page/LocalFrame.cpp: (WebCore::LocalFrame::injectUserScriptImmediately): * Source/WebCore/testing/Internals.cpp: (WebCore::Internals::evaluateInWorldIgnoringException): * Source/WebCore/xml/XMLTreeViewer.cpp: (WebCore::XMLTreeViewer::transformDocumentToTreeView): * Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp: (WebCore::XMLDocumentParser::endElementNs): * Source/WebKit/DerivedSources-output.xcfilelist: * Source/WebKit/UIProcess/API/C/WKPage.cpp: (WKPageRunJavaScriptInMainFrame): * Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm: (-[WKWebView _evaluateJavaScript:asAsyncFunction:withSourceURL:withArguments:forceUserGesture:inFrame:inWorld:completionHandler:]): * Source/WebKitLegacy/mac/WebView/WebFrame.mm: (-[WebFrame _stringByEvaluatingJavaScriptFromString:forceUserGesture:]): * Source/WebKitLegacy/mac/WebView/WebView.mm: (-[WebView aeDescByEvaluatingJavaScriptFromString:]): Canonical link: https://commits.webkit.org/267765@main
WebKit · Sep 8, 2023 · 3a1c346 · 3a1c346
1 parent 1c1d8e1
commit 3a1c346
Show file tree

Hide file tree

Showing 77 changed files with 598 additions and 114 deletions.
diff --git a/JSTests/stress/taintedness-tracking-inlining.js b/JSTests/stress/taintedness-tracking-inlining.js
@@ -0,0 +1,21 @@
+//@ requireOptions("--forceDiskCache=0")
+// $vm doesn't have a source provider that can cache to disk. Skip that testing configuration.
+
+$vm.runTaintedString("function taintedFunc() { return $vm.vmTaintedState(); }");
+
+function foo() {
+    return taintedFunc();
+}
+noInline(foo);
+
+for (let i = 0; i < 1e5; ++i) {
+    let state = foo();
+    if (state !== "KnownTainted")
+        throw new Error(state);
+}
+
+setTimeout(() => {
+    let state = foo();
+    if (state !== "KnownTainted")
+        throw new Error(state);
+});
diff --git a/JSTests/stress/taintedness-tracking.js b/JSTests/stress/taintedness-tracking.js
@@ -0,0 +1,68 @@
+//@ requireOptions("--forceDiskCache=0")
+// $vm doesn't have a source provider that can cache to disk. Skip that testing configuration.
+
+function check(expected, state = $vm.vmTaintedState()) {
+    if (expected != state)
+        throw new Error("Expected " + expected + " but state was " + state);
+
+}
+
+check("Untainted");
+
+function callArg(foo) { return foo(); }
+let state = callArg($vm.vmTaintedState)
+check("Untainted", state);
+
+state = $vm.runTaintedString("function taintedFunc() { return $vm.vmTaintedState(); } $vm.vmTaintedState()");
+check("KnownTainted", state);
+check("IndirectlyTaintedByHistory");
+
+let func = Function("return $vm.vmTaintedState();");
+
+Promise.resolve().then(() => {
+    check("IndirectlyTaintedByHistory");
+});
+
+setTimeout(() => {
+    check("Untainted");
+    state = func();
+    check("IndirectlyTaintedByHistory", state);
+    check("IndirectlyTaintedByHistory");
+});
+
+setTimeout(() => {
+    state = taintedFunc();
+    check("KnownTainted", state);
+    check("IndirectlyTaintedByHistory");
+});
+
+let evalFunc = $vm.runTaintedString(`(function() {
+    return eval("Function('return $vm.vmTaintedState();')");
+})`);
+
+setTimeout(() => {
+    let func = evalFunc();
+    setTimeout(() => {
+        check("IndirectlyTainted", func());
+    });
+});
+
+setTimeout(() => {
+    // Test JSONP code paths, which can create code via setters.
+    check("Untainted");
+    globalThis.foo = { set bar(value) { this.baz = eval(value); }}
+    $vm.runTaintedString("foo.bar = '(function() { return $vm.vmTaintedState(); })'");
+    check("IndirectlyTaintedByHistory");
+    setTimeout(() => {
+        check("Untainted");
+        state = foo.baz();
+        check("IndirectlyTainted", state);
+        check("IndirectlyTaintedByHistory");
+    })
+});
+
+setTimeout(() => {
+    state = $vm.runTaintedString("callArg($vm.vmTaintedState)");
+    check("KnownTainted", state);
+});
+
diff --git a/LayoutTests/js/taintedness-innerhtml-expected.txt b/LayoutTests/js/taintedness-innerhtml-expected.txt
@@ -0,0 +1,14 @@
+Test taintedness is tracked via several ways to inject scripts in WebCore
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS $vm.vmTaintedState() is "Untainted"
+PASS $vm.vmTaintedState() is "KnownTainted"
+PASS $vm.vmTaintedState() is "Untainted"
+PASS $vm.vmTaintedState() is "IndirectlyTainted"
+PASS $vm.vmTaintedState() is "IndirectlyTainted"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+;
diff --git a/LayoutTests/js/taintedness-innerhtml.html b/LayoutTests/js/taintedness-innerhtml.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html><!-- webkit-test-runner [ jscOptions=--useDollarVM=true ] -->
+<html>
+<head>
+<script src="../resources/js-test.js"></script>
+</head>
+<body>
+<div id="foo"></div>
+<script>
+    description("Test taintedness is tracked via several ways to inject scripts in WebCore");
+    // jsTestIsAsync = true;
+
+
+    let foo = document.getElementById("foo");
+
+    shouldBeKnownTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'KnownTainted\\')";
+    shouldBeIndirectlyTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTainted\\')";
+    shouldBeIndirectlyTaintedByHistoryString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTaintedByHistory\\')";
+    // state is IndirectlyTainted because the function itself is created in the innerHTML function not the runTaintedString call and we don't have a JS frame on the stack for taintedness tracking as this is executed as JSONP.
+    $vm.runTaintedString(`
+        foo.innerHTML = '<img src="x" onerror="${shouldBeIndirectlyTaintedString}" />;';
+    `);
+
+    setTimeout(() => {
+        shouldBeEqualToString("$vm.vmTaintedState()", "Untainted");
+        $vm.runTaintedString(`
+            let some_script = document.createElement("script");
+            some_script.type = "text/javascript";
+            some_script.text = "${shouldBeKnownTaintedString}";
+            document.body.appendChild(some_script);
+        `);
+    });
+
+    setTimeout(() => {
+        shouldBeEqualToString("$vm.vmTaintedState()", "Untainted");
+        $vm.runTaintedString(`
+            globalThis.some_script = document.createElement("script");
+            globalThis.some_script.type = "text/javascript";
+            globalThis.some_script.text = "${shouldBeIndirectlyTaintedString}";
+        `);
+        document.body.appendChild(globalThis.some_script);
+    });
+
+</script>
+</body>
+</html>
diff --git a/LayoutTests/js/taintedness-settimeout-expected.txt b/LayoutTests/js/taintedness-settimeout-expected.txt
@@ -0,0 +1,11 @@
+Test taintedness is tracked via several ways to inject scripts in WebCore
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS $vm.vmTaintedState() is "IndirectlyTainted"
+PASS $vm.vmTaintedState() is "IndirectlyTaintedByHistory"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/taintedness-settimeout.html b/LayoutTests/js/taintedness-settimeout.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html><!-- webkit-test-runner [ jscOptions=--useDollarVM=true ] -->
+<html>
+<head>
+<script src="../resources/js-test.js"></script>
+</head>
+<body>
+<div id="foo"></div>
+<script>
+    description("Test taintedness is tracked via several ways to inject scripts in WebCore");
+    // jsTestIsAsync = true;
+
+    window.jsTestIsAsync = true;
+
+    let foo = document.getElementById("foo");
+
+    shouldBeIndirectlyTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTainted\\')";
+    shouldBeIndirectlyTaintedByHistoryString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTaintedByHistory\\')";
+
+    function checkFromOuterScript() {
+        shouldBeEqualToString("$vm.vmTaintedState()", "IndirectlyTaintedByHistory");
+        finishJSTest();
+    }
+    $vm.runTaintedString(`
+        setTimeout(\`
+            // IndirectlyTainted because this code is created by the setTimeout function.
+            shouldBeEqualToString("$vm.vmTaintedState()", "IndirectlyTainted");
+            Promise.resolve().then(checkFromOuterScript);
+            42 + 0;
+        \`, 0);
+    `);
+
+</script>
+</body>
+</html>
diff --git a/Source/JavaScriptCore/API/JSBase.cpp b/Source/JavaScriptCore/API/JSBase.cpp
@@ -86,7 +86,7 @@ JSValueRef JSEvaluateScript(JSContextRef ctx, JSStringRef script, JSObjectRef th
     startingLineNumber = std::max(1, startingLineNumber);
 
     auto sourceURL = sourceURLString ? URL({ }, sourceURLString->string()) : URL();
-    SourceCode source = makeSource(script->string(), SourceOrigin { sourceURL }, sourceURL.string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()));
+    SourceCode source = makeSource(script->string(), SourceOrigin { sourceURL }, SourceTaintedOrigin::Untainted, sourceURL.string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()));
 
     return JSEvaluateScriptInternal(locker, ctx, thisObject, source, exception);
 }
@@ -104,7 +104,7 @@ bool JSCheckScriptSyntax(JSContextRef ctx, JSStringRef script, JSStringRef sourc
     startingLineNumber = std::max(1, startingLineNumber);
 
     auto sourceURL = sourceURLString ? URL({ }, sourceURLString->string()) : URL();
-    SourceCode source = makeSource(script->string(), SourceOrigin { sourceURL }, sourceURL.string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()));
+    SourceCode source = makeSource(script->string(), SourceOrigin { sourceURL }, SourceTaintedOrigin::Untainted, sourceURL.string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()));
 
     JSValue syntaxException;
     bool isValidSyntax = checkSyntax(globalObject, source, &syntaxException);

diff --git a/Source/JavaScriptCore/API/JSObjectRef.cpp b/Source/JavaScriptCore/API/JSObjectRef.cpp
@@ -153,7 +153,7 @@ JSObjectRef JSObjectMakeFunction(JSContextRef ctx, JSStringRef name, unsigned pa
     }
 
     auto sourceURL = sourceURLString ? URL({ }, sourceURLString->string()) : URL();
-    JSObject* result = constructFunction(globalObject, args, nameID, SourceOrigin { sourceURL }, sourceURL.string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()));
+    JSObject* result = constructFunction(globalObject, args, nameID, SourceOrigin { sourceURL }, sourceURL.string(), SourceTaintedOrigin::Untainted, TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()));
     if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
         result = nullptr;
     return toRef(result);

diff --git a/Source/JavaScriptCore/API/JSScript.mm b/Source/JavaScriptCore/API/JSScript.mm
@@ -273,7 +273,7 @@ - (unsigned)hash
     URL url = URL({ }, filename);
     auto type = m_type == kJSScriptTypeModule ? JSC::SourceProviderSourceType::Module : JSC::SourceProviderSourceType::Program;
     JSC::SourceOrigin origin(url);
-    Ref<JSScriptSourceProvider> sourceProvider = JSScriptSourceProvider::create(self, origin, WTFMove(filename), String(), startPosition, type);
+    Ref<JSScriptSourceProvider> sourceProvider = JSScriptSourceProvider::create(self, origin, WTFMove(filename), String(), JSC::SourceTaintedOrigin::Untainted, startPosition, type);
     JSC::SourceCode sourceCode(WTFMove(sourceProvider), startPosition.m_line.oneBasedInt(), startPosition.m_column.oneBasedInt());
     return sourceCode;
 }

diff --git a/Source/JavaScriptCore/API/JSScriptRef.cpp b/Source/JavaScriptCore/API/JSScriptRef.cpp
@@ -58,7 +58,7 @@ struct OpaqueJSScript final : public SourceProvider {
 
 private:
     OpaqueJSScript(VM& vm, const SourceOrigin& sourceOrigin, String&& filename, int startingLineNumber, const String& source)
-        : SourceProvider(sourceOrigin, WTFMove(filename), String(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()), SourceProviderSourceType::Program)
+        : SourceProvider(sourceOrigin, WTFMove(filename), String(), SourceTaintedOrigin::Untainted, TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()), SourceProviderSourceType::Program)
         , m_vm(vm)
         , m_source(source.isNull() ? *StringImpl::empty() : *source.impl())
     {

diff --git a/Source/JavaScriptCore/API/glib/JSCContext.cpp b/Source/JavaScriptCore/API/glib/JSCContext.cpp
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2018 Igalia S.L.
+ * Copyright (C) 2023 Apple Inc.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -972,7 +973,7 @@ JSCCheckSyntaxResult jsc_context_check_syntax(JSCContext* context, const char* c
     JSC::JSLockHolder locker(vm);
 
     URL sourceURL = uri ? URL(String::fromLatin1(uri)) : URL();
-    JSC::SourceCode source = JSC::makeSource(String::fromUTF8(code, length < 0 ? strlen(code) : length), JSC::SourceOrigin { sourceURL },
+    JSC::SourceCode source = JSC::makeSource(String::fromUTF8(code, length < 0 ? strlen(code) : length), JSC::SourceOrigin { sourceURL }, JSC::SourceTaintedOrigin::Untainted,
         sourceURL.string() , TextPosition(OrdinalNumber::fromOneBasedInt(lineNumber), OrdinalNumber()));
     bool success = false;
     JSC::ParserError error;

diff --git a/Source/JavaScriptCore/CMakeLists.txt b/Source/JavaScriptCore/CMakeLists.txt
@@ -934,6 +934,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS
     parser/SourceProvider.h
     parser/SourceProviderCache.h
     parser/SourceProviderCacheItem.h
+    parser/SourceTaintedOrigin.h
     parser/UnlinkedSourceCode.h
     parser/VariableEnvironment.h
 

diff --git a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
@@ -1018,6 +1018,7 @@
 		534E03581E53BF2F00213F64 /* GetterSetterAccessCase.h in Headers */ = {isa = PBXBuildFile; fileRef = 534E03571E53BF2F00213F64 /* GetterSetterAccessCase.h */; };
 		5350356527147E5A00EC1A7E /* SourceID.h in Headers */ = {isa = PBXBuildFile; fileRef = 5350356427147E5900EC1A7E /* SourceID.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		53529A4C1C457B75000B49C6 /* APIUtils.h in Headers */ = {isa = PBXBuildFile; fileRef = 53529A4B1C457B75000B49C6 /* APIUtils.h */; };
+		53542B232AA8D8AF00205FB3 /* SourceTaintedOrigin.h in Headers */ = {isa = PBXBuildFile; fileRef = 53542B222AA8D89D00205FB3 /* SourceTaintedOrigin.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		535557141D9D9EA5006D583B /* WasmMemory.h in Headers */ = {isa = PBXBuildFile; fileRef = 535557131D9D9EA5006D583B /* WasmMemory.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		535C24611F78928E006EC40E /* create_regex_tables in Headers */ = {isa = PBXBuildFile; fileRef = A718F8211178EB4B002465A7 /* create_regex_tables */; };
 		535C246C1F7A1778006EC40E /* UnifiedSource136.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 535C246B1F7A1777006EC40E /* UnifiedSource136.cpp */; };
@@ -1208,7 +1209,6 @@
 		554C418829B14CA5003C9F71 /* WebAssemblyGCObjectBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 554C418629B14CA5003C9F71 /* WebAssemblyGCObjectBase.h */; };
 		55579D9028DD641000153DAE /* WebAssemblyArrayPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = 55579D8D28DD640F00153DAE /* WebAssemblyArrayPrototype.h */; };
 		55579D9128DD641000153DAE /* WebAssemblyArrayConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = 55579D8E28DD641000153DAE /* WebAssemblyArrayConstructor.h */; };
-		556872AC2A97BCD100502424 /* WasmConstExprGenerator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 556872AA2A97BCD100502424 /* WasmConstExprGenerator.cpp */; };
 		556872AD2A97BCD100502424 /* WasmConstExprGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 556872AB2A97BCD100502424 /* WasmConstExprGenerator.h */; };
 		55F5DFB128DA9A2000595620 /* JSWebAssemblyArray.h in Headers */ = {isa = PBXBuildFile; fileRef = 55F5DFAE28DA9A2000595620 /* JSWebAssemblyArray.h */; };
 		5B4032802798D20600F37939 /* JSRemoteFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 5B40327E2798D1FD00F37939 /* JSRemoteFunction.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4056,6 +4056,8 @@
 		534E03571E53BF2F00213F64 /* GetterSetterAccessCase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GetterSetterAccessCase.h; sourceTree = "<group>"; };
 		5350356427147E5900EC1A7E /* SourceID.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceID.h; sourceTree = "<group>"; };
 		53529A4B1C457B75000B49C6 /* APIUtils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APIUtils.h; sourceTree = "<group>"; };
+		53542B212AA8D89D00205FB3 /* SourceTaintedOrigin.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = SourceTaintedOrigin.cpp; sourceTree = "<group>"; };
+		53542B222AA8D89D00205FB3 /* SourceTaintedOrigin.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SourceTaintedOrigin.h; sourceTree = "<group>"; };
 		535557131D9D9EA5006D583B /* WasmMemory.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmMemory.h; sourceTree = "<group>"; };
 		535557151D9DFA32006D583B /* WasmMemory.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmMemory.cpp; sourceTree = "<group>"; };
 		535C246B1F7A1777006EC40E /* UnifiedSource136.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = UnifiedSource136.cpp; path = "DerivedSources/JavaScriptCore/unified-sources/UnifiedSource136.cpp"; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -7779,6 +7781,8 @@
 				E49DC15512EF277200184A1F /* SourceProviderCache.cpp */,
 				E49DC15112EF272200184A1F /* SourceProviderCache.h */,
 				E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */,
+				53542B212AA8D89D00205FB3 /* SourceTaintedOrigin.cpp */,
+				53542B222AA8D89D00205FB3 /* SourceTaintedOrigin.h */,
 				A7A7EE7711B98B8D0065A14F /* SyntaxChecker.h */,
 				0F8F2B9D17306C8B007DBDA5 /* UnlinkedSourceCode.cpp */,
 				14AB66751DECF40900A56C26 /* UnlinkedSourceCode.h */,
@@ -11559,6 +11563,7 @@
 				BC18C4630E16F5CD00B34460 /* SourceProvider.h in Headers */,
 				E49DC16C12EF294E00184A1F /* SourceProviderCache.h in Headers */,
 				E49DC16D12EF295300184A1F /* SourceProviderCacheItem.h in Headers */,
+				53542B232AA8D8AF00205FB3 /* SourceTaintedOrigin.h in Headers */,
 				0FDE87FC1DFE6E510064C390 /* SpaceTimeMutatorScheduler.h in Headers */,
 				0FB7F39E15ED8E4600F167B2 /* SparseArrayValueMap.h in Headers */,
 				A7386554118697B400540279 /* SpecializedThunkJIT.h in Headers */,

diff --git a/Source/JavaScriptCore/Scripts/wkbuiltins/builtins_templates.py b/Source/JavaScriptCore/Scripts/wkbuiltins/builtins_templates.py
@@ -29,7 +29,7 @@
 
 class BuiltinsGeneratorTemplates:
 
-    DefaultCopyright = "2016 Apple Inc. All rights reserved."
+    DefaultCopyright = "2016-2023 Apple Inc. All rights reserved."
     LicenseText = (
     """Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
@@ -132,7 +132,7 @@ class BuiltinsGeneratorTemplates:
     explicit ${objectName}BuiltinsWrapper(JSC::VM& vm)
         : m_vm(vm)
         ${macroPrefix}_FOREACH_${objectMacro}_BUILTIN_FUNCTION_NAME(INITIALIZE_BUILTIN_NAMES)
-#define INITIALIZE_BUILTIN_SOURCE_MEMBERS(name, functionName, overriddenName, length) , m_##name##Source(JSC::makeSource(StringImpl::createWithoutCopying(s_##name, length), { }))
+#define INITIALIZE_BUILTIN_SOURCE_MEMBERS(name, functionName, overriddenName, length) , m_##name##Source(JSC::makeSource(StringImpl::createWithoutCopying(s_##name, length), { }, JSC::SourceTaintedOrigin::Untainted))
         ${macroPrefix}_FOREACH_${objectMacro}_BUILTIN_CODE(INITIALIZE_BUILTIN_SOURCE_MEMBERS)
 #undef INITIALIZE_BUILTIN_SOURCE_MEMBERS
     {

diff --git a/Source/JavaScriptCore/Sources.txt b/Source/JavaScriptCore/Sources.txt
@@ -718,6 +718,7 @@ parser/Parser.cpp @no-unify
 parser/ParserArena.cpp
 parser/SourceProvider.cpp
 parser/SourceProviderCache.cpp
+parser/SourceTaintedOrigin.cpp
 parser/UnlinkedSourceCode.cpp
 parser/VariableEnvironment.cpp
 

diff --git a/Source/JavaScriptCore/builtins/BuiltinExecutables.cpp b/Source/JavaScriptCore/builtins/BuiltinExecutables.cpp
@@ -36,7 +36,7 @@ namespace JSC {
 
 BuiltinExecutables::BuiltinExecutables(VM& vm)
     : m_vm(vm)
-    , m_combinedSourceProvider(StringSourceProvider::create(StringImpl::createWithoutCopying(s_JSCCombinedCode, s_JSCCombinedCodeLength), { }, String()))
+    , m_combinedSourceProvider(StringSourceProvider::create(StringImpl::createWithoutCopying(s_JSCCombinedCode, s_JSCCombinedCodeLength), { }, String(), SourceTaintedOrigin::Untainted))
 {
 }
 
@@ -48,11 +48,11 @@ SourceCode BuiltinExecutables::defaultConstructorSourceCode(ConstructorKind cons
         break;
     case ConstructorKind::Base: {
         static NeverDestroyed<const String> baseConstructorCode(MAKE_STATIC_STRING_IMPL("(function () { })"));
-        return makeSource(baseConstructorCode, { });
+        return makeSource(baseConstructorCode, { }, SourceTaintedOrigin::Untainted);
     }
     case ConstructorKind::Extends: {
         static NeverDestroyed<const String> derivedConstructorCode(MAKE_STATIC_STRING_IMPL("(function (...args) { super(...args); })"));
-        return makeSource(derivedConstructorCode, { });
+        return makeSource(derivedConstructorCode, { }, SourceTaintedOrigin::Untainted);
     }
     }
     RELEASE_ASSERT_NOT_REACHED();

diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.cpp b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -276,6 +276,7 @@ CodeBlock::CodeBlock(VM& vm, Structure* structure, CopyParsedBlockTag, CodeBlock
     , m_numCalleeLocals(other.m_numCalleeLocals)
     , m_numVars(other.m_numVars)
     , m_numberOfArgumentsToSkip(other.m_numberOfArgumentsToSkip)
+    , m_couldBeTainted(other.m_couldBeTainted)
     , m_hasDebuggerStatement(false)
     , m_steppingMode(SteppingModeDisabled)
     , m_numBreakpoints(0)
@@ -299,6 +300,7 @@ CodeBlock::CodeBlock(VM& vm, Structure* structure, CopyParsedBlockTag, CodeBlock
     constexpr bool allocateArgumentValueProfiles = false;
     setNumParameters(other.numParameters(), allocateArgumentValueProfiles);
 
+    ASSERT(m_couldBeTainted == (taintednessToTriState(source().provider()->sourceTaintedOrigin()) != TriState::False));
     vm.heap.codeBlockSet().add(this);
 }
 
@@ -345,6 +347,7 @@ CodeBlock::CodeBlock(VM& vm, Structure* structure, ScriptExecutable* ownerExecut
     constexpr bool allocateArgumentValueProfiles = true;
     setNumParameters(unlinkedCodeBlock->numParameters(), allocateArgumentValueProfiles);
 
+    m_couldBeTainted = source().provider()->couldBeTainted();
     vm.heap.codeBlockSet().add(this);
 }