tainted flag not propagated in a function defined with eval() and its toSource() value #11

dmitris opened this Issue Mar 8, 2013 · 1 comment

2 participants


Consider the following example:

var s = String.newTainted("foo"); // "foo" is the potential attack payload
s.tainted; // true, of course
eval("function myfun() {return '" + s + "';}"); // define function f() that returns the tainted string
var x = myfun();  // invoke newly define function
x.tainted; // currently false, should be true

Additionally, consider the return value of toSource() call that also contains the attack payload:

var src = myfun.toSource(); "function myfun() {return "foo";}"
src.tainted; // currently false, should be true

The eval case is the same as the Function issue #10
About the toSource() it was actually left untainted in the C/C++ code.
If you want you can still wrap it and return a tainted string.

@wisec wisec closed this Jan 9, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment