Skip to content
This repository

tainted flag not propagated in a function defined with eval() and its toSource() value #11

dmitris opened this Issue · 1 comment

2 participants

Dmitri S Stefano Di Paola
Dmitri S

Consider the following example:

var s = String.newTainted("foo"); // "foo" is the potential attack payload
s.tainted; // true, of course
eval("function myfun() {return '" + s + "';}"); // define function f() that returns the tainted string
var x = myfun();  // invoke newly define function
x.tainted; // currently false, should be true

Additionally, consider the return value of toSource() call that also contains the attack payload:

var src = myfun.toSource(); "function myfun() {return "foo";}"
src.tainted; // currently false, should be true
Stefano Di Paola
wisec commented

The eval case is the same as the Function issue #10
About the toSource() it was actually left untainted in the C/C++ code.
If you want you can still wrap it and return a tainted string.

Stefano Di Paola wisec closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.