コード例 #1
0
ファイル: JSHTMLDocument.cpp プロジェクト: dmitris/tpjs
EncodedJSValue JSC_HOST_CALL jsHTMLDocumentPrototypeFunctionWrite(ExecState* exec)
{
    JSValue thisValue = exec->hostThisValue();
    if (!thisValue.inherits(&JSHTMLDocument::s_info))
        return throwVMTypeError(exec);
    JSHTMLDocument* castedThis = static_cast<JSHTMLDocument*>(asObject(thisValue));
#ifdef JSC_TAINTED
/*
if we comment out the following code segement and move the detection to bindings/js/JSHTMLDocumentCustom.cpp
one of the test case like below cannot be detected anymore. need to investigate the reason behind.
document.write("hello"+document.location.href.substring(document.location.href.indexOf("default=")+8));\

the guess is the following code does not cover the primitive string.
*/
    JSValue s = exec->argument(0);
    if (s.isString() && s.isTainted()) {
        HTMLDocument* d1 = static_cast<HTMLDocument*>(castedThis->impl());
        d1->setTainted(s.isTainted());

	TaintedStructure trace_struct;
	trace_struct.taintedno = s.isTainted();
	trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWrite";
	trace_struct.jsfunc = "document.write";
	trace_struct.action = "sink";

	char msg[20];
	stringstream msgss;
	snprintf(msg, 20, "%s", s.toString(exec).utf8(true).data());
	msgss << msg;
	msgss >> trace_struct.value;

	TaintedTrace* trace = TaintedTrace::getInstance();
	trace->addTaintedTrace(trace_struct);
    }
コード例 #2
0
ファイル: JSHTMLDocument.cpp プロジェクト: dpnishant/tpjs
EncodedJSValue JSC_HOST_CALL jsHTMLDocumentPrototypeFunctionWrite(ExecState* exec)
{
    JSValue thisValue = exec->hostThisValue();
    if (!thisValue.inherits(&JSHTMLDocument::s_info))
        return throwVMTypeError(exec);
    JSHTMLDocument* castedThis = static_cast<JSHTMLDocument*>(asObject(thisValue));
#if defined(JSC_TAINTED)
/*
if we comment out the following code segement and move the detection to bindings/js/JSHTMLDocumentCustom.cpp
one of the test case like below cannot be detected anymore. need to investigate the reason behind.
document.write("hello"+document.location.href.substring(document.location.href.indexOf("default=")+8));\

the guess is the following code does not cover the primitive string.
*/
    JSValue s = exec->argument(0);
    if (s.isString() && s.isTainted()) {
        HTMLDocument* d1 = static_cast<HTMLDocument*>(castedThis->impl());
        d1->setTainted(s.isTainted());

	TaintedStructure trace_struct;
	trace_struct.taintedno = s.isTainted();
	trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWrite";
	trace_struct.jsfunc = "document.write";
	trace_struct.action = "sink";
	trace_struct.value = TaintedUtils::UString2string(s.toString(exec));

	TaintedTrace* trace = TaintedTrace::getInstance();
	trace->addTaintedTrace(trace_struct);
    }
    if (s.inherits(&StringObject::s_info)) {
        unsigned int tainted = asStringObject(s)->isTainted();
        if (tainted) {
            HTMLDocument* d2 = static_cast<HTMLDocument*>(castedThis->impl());
            d2->setTainted(tainted);

	    TaintedStructure trace_struct;
	    trace_struct.taintedno = tainted;
	    trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWrite";
	    trace_struct.jsfunc = "document.write";
	    trace_struct.action = "sink";
	    trace_struct.value = TaintedUtils::UString2string(s.toString(exec));

	    TaintedTrace* trace = TaintedTrace::getInstance();
	    trace->addTaintedTrace(trace_struct);
        }
    }
#endif
    return JSValue::encode(castedThis->write(exec));
}
コード例 #3
0
ファイル: JSHTMLDocument.cpp プロジェクト: dpnishant/tpjs
EncodedJSValue JSC_HOST_CALL jsHTMLDocumentPrototypeFunctionWriteln(ExecState* exec)
{
    JSValue thisValue = exec->hostThisValue();
    if (!thisValue.inherits(&JSHTMLDocument::s_info))
        return throwVMTypeError(exec);
    JSHTMLDocument* castedThis = static_cast<JSHTMLDocument*>(asObject(thisValue));
#if defined(JSC_TAINTED)
    JSValue s = exec->argument(0);
    if (s.isString() && s.isTainted() > 0) {
        HTMLDocument* d1 = static_cast<HTMLDocument*>(castedThis->impl());
        d1->setTainted(s.isTainted());

	TaintedStructure trace_struct;
	trace_struct.taintedno = s.isTainted();
	trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWriteln";
	trace_struct.jsfunc = "document.writeln";
	trace_struct.action = "sink";
	trace_struct.value = TaintedUtils::UString2string(s.toString(exec));

	TaintedTrace* trace = TaintedTrace::getInstance();
	trace->addTaintedTrace(trace_struct);
    }
    if (s.inherits(&StringObject::s_info)) {
	unsigned int tainted = asStringObject(s)->isTainted();
        if (tainted) {
            HTMLDocument* d2 = static_cast<HTMLDocument*>(castedThis->impl());
            d2->setTainted(tainted);

	    TaintedStructure trace_struct;
	    trace_struct.taintedno = tainted;
	    trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWriteln";
	    trace_struct.jsfunc = "document.writeln";
	    trace_struct.action = "sink";
	    trace_struct.value = TaintedUtils::UString2string(s.toString(exec));

	    TaintedTrace* trace = TaintedTrace::getInstance();
	    trace->addTaintedTrace(trace_struct);
        }
    }
#endif
    return JSValue::encode(castedThis->writeln(exec));
}
コード例 #4
0
ファイル: JSLocation.cpp プロジェクト: dmitris/tpjs
void setJSLocationHash(ExecState* exec, JSObject* thisObject, JSValue value)
{
#ifdef JSC_TAINTED
    unsigned int tainted = 0;
    if (value.isString() && value.isTainted()) {
	tainted = value.isTainted();
    }
    if (value.inherits(&StringObject::s_info) && asStringObject(value)->isTainted()) {
	tainted = asStringObject(value)->isTainted();
    }
    if (value.isObject()) {
        UString s = value.toString(exec);
        if (s.isTainted()) {
		tainted = s.isTainted();
	}
    }
    if (tainted) {
        JSLocation* castedThis = static_cast<JSLocation*>(thisObject);
	Location* imp = static_cast<Location*>(castedThis->impl());
        imp->frame()->document()->setTainted(tainted);

	TaintedStructure trace_struct;
	trace_struct.taintedno = tainted;
	trace_struct.internalfunc = "setJSLocationHash";
	trace_struct.jsfunc = "location.hash";
	trace_struct.action = "sink";

	char msg[20];
	stringstream msgss;
	snprintf(msg, 20, "%s", value.toString(exec).utf8(true).data());
	msgss << msg;
	msgss >> trace_struct.value;

	TaintedTrace* trace = TaintedTrace::getInstance();
	trace->addTaintedTrace(trace_struct);
    }
#endif
    static_cast<JSLocation*>(thisObject)->setHash(exec, value);
}