On 08/09/2013 05:28 PM, Nicholas Nethercote wrote:
On Fri, Aug 9, 2013 at 2:59 PM, Jim Blandy <jbla...@mozilla.com> wrote:
The taint analysis applies to strings only, and has four parts:
* It identifies certain *sources* of strings as "tainted":
document.URL, input fields, and so on.
* The JavaScript engine propagates taint information on strings.
Taking a substring of a tainted string, or concatenating a tainted
string, yields a tainted string. Regexp operations, charAt, and so
on all propagate taint information. And so on.
* It identifies certain *sinks* as vulnerable: eval, 'src' attributes
on script elements, and so on.
* Finally, the tool's user interface logs the appearance of tainted
strings at vulnerable sinks. The taint metadata actually records the
provenance of each region of a tainted string, so the tool can
explain exactly why the final string is tainted, which is really
helpful in constructing XSS attacks.
Are there any operations that are considered to untaint tainted
strings? I seem to remember that in Perl's taint mode a regexp
search-and-replace operation untaints, but I could be wrong.
Nick
Ivan has begun to document the rules for taint propagation here:
https://wiki.mozilla.org/Security/Features/JS_Tainting
_______________________________________________
dev-tech-js-engine-internals mailing list
dev-tech-js-engine-internals@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
