tainted flag propagation through Function's constructor #10

dmitris opened this Issue Mar 8, 2013 · 1 comment


None yet
2 participants

dmitris commented Mar 8, 2013

I believe the following case is missing - wonder if it is something we should add:

var s = String.newTainted("foo"); // "foo" will be potential attack payload
s.tainted; // true
var f = new Function("", "return '" + s + "';");
var x = f();   // x is now "foo", but...
x.tainted; // currently false - I believe should be true to avoid losing the propagation of the tainted flag, right?

wisec commented Mar 8, 2013

Actually it's the expected behaviour.
In fact, it's like executing

 return 'foo';

and not

return taintedString;

Your case is covered by the Stored String Taint Propagation.

@wisec wisec closed this Jan 9, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment