tainted flag propagation through Function's constructor #10

Closed
dmitris opened this Issue Mar 8, 2013 · 1 comment

Comments

Projects
None yet
2 participants
Collaborator

dmitris commented Mar 8, 2013

I believe the following case is missing - wonder if it is something we should add:

var s = String.newTainted("foo"); // "foo" will be potential attack payload
s.tainted; // true
var f = new Function("", "return '" + s + "';");
var x = f();   // x is now "foo", but...
x.tainted; // currently false - I believe should be true to avoid losing the propagation of the tainted flag, right?
Owner

wisec commented Mar 8, 2013

Actually it's the expected behaviour.
In fact, it's like executing

 return 'foo';

and not

return taintedString;

Your case is covered by the Stored String Taint Propagation.
http://blog.mindedsecurity.com/2012/10/stored-dom-based-cross-site-scripting.html

@wisec wisec closed this Jan 9, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment