tmbrbr · 0drai · Aug 2, 2024 · Aug 2, 2024 · Aug 2, 2024 · Aug 4, 2024
diff --git a/gfx/qcms/src/lib.rs b/gfx/qcms/src/lib.rs
@@ -7,12 +7,13 @@
 #![allow(non_upper_case_globals)]
 // These are needed for the neon SIMD code and can be removed once the MSRV supports the
 // instrinsics we use
-#![cfg_attr(feature = "neon", feature(stdsimd))]
-#![cfg_attr(
-    feature = "neon",
-    feature(arm_target_feature, raw_ref_op)
-
-)]
+// TODO(0drai): Cannot build taintfox unless this is removed :/
+//#![cfg_attr(feature = "neon", feature(stdsimd))]
+//#![cfg_attr(
+//    feature = "neon",
+//    feature(arm_target_feature, raw_ref_op)
+//
+//)]
 
 /// These values match the Rendering Intent values from the ICC spec
 #[repr(C)]

diff --git a/js/public/experimental/TypedData.h b/js/public/experimental/TypedData.h
@@ -139,7 +139,7 @@ extern JS_PUBLIC_API JSObject* UnwrapReadableStream(JSObject* obj);
 namespace detail {
 
 constexpr size_t TypedArrayLengthSlot = 1;
-constexpr size_t TypedArrayDataSlot = 3;
+constexpr size_t TypedArrayDataSlot = 4;
 
 }  // namespace detail
 

diff --git a/js/src/builtin/Array.cpp b/js/src/builtin/Array.cpp
@@ -41,6 +41,7 @@
 #include "vm/JSContext.h"
 #include "vm/JSFunction.h"
 #include "vm/JSObject.h"
+#include "vm/NumberObject.h"
 #include "vm/PlainObject.h"  // js::PlainObject
 #include "vm/SelfHosting.h"
 #include "vm/Shape.h"
@@ -3898,6 +3899,8 @@ static bool array_slice(JSContext* cx, unsigned argc, Value* vp) {
 
   /* Step 12. */
   args.rval().setObject(*arr);
+  //TODO(SAM) - Trace the array object
+  /*arr->as<ArrayObject>()*/
   return true;
 }
 
@@ -4087,7 +4090,6 @@ enum class SearchKind {
   // semantics are used.
   Includes,
 };
-
 template <SearchKind Kind, typename Iter>
 static bool SearchElementDense(JSContext* cx, HandleValue val, Iter iterator,
                                MutableHandleValue rval) {
@@ -4118,8 +4120,15 @@ static bool SearchElementDense(JSContext* cx, HandleValue val, Iter iterator,
   }
 
   // Fast path for numbers.
-  if (val.isNumber()) {
-    double dval = val.toNumber();
+  if (val.isNumber() || isTaintedNumber(val)) {
+    double dval;
+    if(isTaintedNumber(val)) {
+      if (!ToNumber(cx, val, &dval)) {
+        return false;
+      }
+    } else {
+      dval  = val.toNumber();
+    }
     // For |includes|, two NaN values are considered equal, so we use a
     // different implementation for NaN.
     if (Kind == SearchKind::Includes && std::isnan(dval)) {
@@ -4129,8 +4138,15 @@ static bool SearchElementDense(JSContext* cx, HandleValue val, Iter iterator,
       };
       return iterator(cx, cmp, rval);
     }
-    auto cmp = [dval](JSContext*, const Value& element, bool* equal) {
-      *equal = (element.isNumber() && element.toNumber() == dval);
+    auto cmp = [dval](JSContext* context, const Value& element, bool* equal) {
+      if(isTaintedNumber(element)) {
+	NumberObject* obj = &element.toObject().as<NumberObject>();
+        double x = obj->unbox();;
+
+	*equal = x == dval;
+      } else {
+        *equal  = (element.isNumber() && element.toNumber() == dval);
+      }
       return true;
     };
     return iterator(cx, cmp, rval);
@@ -4960,6 +4976,7 @@ static inline bool ArrayConstructorImpl(JSContext* cx, CallArgs& args,
 
 /* ES5 15.4.2 */
 bool js::ArrayConstructor(JSContext* cx, unsigned argc, Value* vp) {
+  //TODO(SAM) - Trace the array object
   AutoJSConstructorProfilerEntry pseudoFrame(cx, "Array");
   CallArgs args = CallArgsFromVp(argc, vp);
   return ArrayConstructorImpl(cx, args, /* isConstructor = */ true);

diff --git a/js/src/builtin/Boolean.cpp b/js/src/builtin/Boolean.cpp
@@ -21,6 +21,7 @@
 #include "vm/JSObject.h"
 
 #include "vm/BooleanObject-inl.h"
+#include "vm/NumberObject-inl.h"
 
 using namespace js;
 
@@ -109,6 +110,16 @@ static const JSFunctionSpec boolean_methods[] = {
 static bool Boolean(JSContext* cx, unsigned argc, Value* vp) {
   CallArgs args = CallArgsFromVp(argc, vp);
 
+  //TODO(0drai): For cases where the Boolean constructor is used
+  //e.g., Boolean(taintedValue)
+
+  if (isTaintedNumber(args[0])){
+    // NOTE(0drai): Save since isTainted* checks for type
+    double d = args[0].toObject().as<NumberObject>().unbox();
+    JSObject *v = NumberObject::create(cx, d);
+    args[0].setObject(*v);
+  }
+
   // Step 1.
   bool b = args.length() != 0 ? JS::ToBoolean(args[0]) : false;
 
@@ -173,5 +184,13 @@ JS_PUBLIC_API bool js::ToBooleanSlow(HandleValue v) {
 #endif
 
   MOZ_ASSERT(v.isObject());
+  // Workaround for #216
+  if (isTaintedNumber(v)) {
+    // NOTE(0drai): Save since isTainted* checks for type
+    double d = v.toObject().as<NumberObject>().unbox();
+    if (std::isnan(d)) return false;
+    return d != 0;
+  }
+
   return !EmulatesUndefined(&v.toObject());
 }
diff --git a/js/src/builtin/DataViewObject.cpp b/js/src/builtin/DataViewObject.cpp
@@ -64,6 +64,13 @@ DataViewObject* DataViewObject::create(
     return nullptr;
   }
 
+  obj->setReservedSlot(TAINT_SLOT, PrivateValue(nullptr));
+
+  if (arrayBuffer && arrayBuffer->isWasm()) {
+    obj->setTaint(
+        TaintFlow(TaintOperationFromContext(cx, "WASM Array taint source", true)));
+  }
+
   return obj;
 }
 
@@ -1017,6 +1024,7 @@ const JSPropertySpec DataViewObject::properties[] = {
     JS_PSG("buffer", DataViewObject::bufferGetter, 0),
     JS_PSG("byteLength", DataViewObject::byteLengthGetter, 0),
     JS_PSG("byteOffset", DataViewObject::byteOffsetGetter, 0),
+    JS_PSG("taint", js::Array_taintGetter, JSPROP_PERMANENT),
     JS_STRING_SYM_PS(toStringTag, "DataView", JSPROP_READONLY), JS_PS_END};
 
 JS_PUBLIC_API JSObject* JS_NewDataView(JSContext* cx, HandleObject buffer,

diff --git a/js/src/builtin/String.cpp b/js/src/builtin/String.cpp
@@ -155,6 +155,51 @@ js::str_tainted(JSContext* cx, unsigned argc, Value* vp)
   return true;
 }
 
+bool js::str_taintedFromArray(JSContext* cx, unsigned argc, Value* vp)
+{
+  // String.taintedFromArray(string, operation, array, array.taint.length)
+  CallArgs args = CallArgsFromVp(argc, vp);
+
+  RootedString str(cx, ArgToLinearString(cx, args, 0));
+  if (!str || str->length() == 0) {
+    return false;
+  }
+
+  RootedString opName(cx, args[1].toString());
+  if (!opName) {
+    return false;
+  }
+
+  UniqueChars op_chars = JS_EncodeStringToUTF8(cx, opName);
+  if (!op_chars) {
+    return false;
+  }
+
+  TaintFlow op = TaintFlow(TaintOperationFromContext(cx,op_chars.get(), true));
+  TaintFlow arrayTaintFlow = JS::getValueTaint(args[2]);
+  TaintFlow combined = TaintFlow::append(arrayTaintFlow, op);
+
+  double taintFlowSize = 0;
+
+  if (!ToInteger(cx, args[3], &taintFlowSize)) {
+    return false;
+  }
+
+  SafeStringTaint taint(combined, taintFlowSize + 1);
+
+  JSString* tainted_str = NewDependentString(cx, str, 0, str->length());
+  if (!tainted_str) {
+    return false;
+  }
+
+  tainted_str->setTaint(taint);
+
+  MOZ_ASSERT(tainted_str->isTainted());
+
+  args.rval().setString(tainted_str);
+  return true;
+}
+
 /*
  * TaintFox: taint property implementation.
  *
@@ -4508,6 +4553,7 @@ static const JSFunctionSpec string_static_methods[] = {
 
     // TaintFox: Helper function for manual taint sources.
     JS_FN("tainted",              str_tainted,          1,0),
+    JS_FN("taintedFromArray", str_taintedFromArray, 4,0),
 
     JS_FS_END};
 

diff --git a/js/src/builtin/String.h b/js/src/builtin/String.h
@@ -35,6 +35,8 @@ extern bool str_fromCodePoint_one_arg(JSContext* cx, HandleValue code,
 // TaintFox: Exported for the js shell: taint(str).
 bool str_tainted(JSContext* cx, unsigned argc, Value* vp);
 
+bool str_taintedFromArray(JSContext* cx, unsigned argc, Value* vp);
+
 extern bool str_includes(JSContext* cx, unsigned argc, Value* vp);
 
 extern bool str_indexOf(JSContext* cx, unsigned argc, Value* vp);

diff --git a/js/src/builtin/TypedArray.js b/js/src/builtin/TypedArray.js
@@ -603,6 +603,15 @@ function TypedArrayIndexOf(searchElement, fromIndex = 0) {
 
     // Steps 11.b.i-iii.
     if (O[k] === searchElement) {
+      // Taintfox: add taint to the result if the searchElement is tainted....
+      if (searchElement?.taint?.length > 0) {
+          k = AddTaintOperationToNumberFromNumber(O, k, "indexOf", searchElement);
+      }
+
+      //... or the source array
+      else if (O?.taint?.length > 0){
+        //TODO(0drai): implement
+      }
       return k;
     }
   }
@@ -677,6 +686,11 @@ function TypedArrayJoin(separator) {
     R += sep + ToString(element);
   }
 
+  // Taintfox: add taint to the result if the source array is tainted
+  if (O && O.taint?.length > 0){
+    AddTaintOperationNative(R, "join", O.taint[0]);
+  }
+
   // Step 9.
   return R;
 }
@@ -1029,6 +1043,14 @@ function TypedArraySlice(start, end) {
     }
   }
 
+  // Taintfox: add taint to the result if the source array
+  // or the start index is tainted
+  if (start && start.taint?.length > 0) {
+    AddTaintOperationToArray(A, "slice", start);
+  } else if (O && O.taint?.length > 0){
+    AddTaintOperationToArray(A, "slice", O);
+  }
+
   // Step 16.
   return A;
 }
@@ -1282,12 +1304,23 @@ function TypedArraySubarray(begin, end) {
   var beginByteOffset = srcByteOffset + beginIndex * elementSize;
 
   // Steps 15-16.
-  return TypedArraySpeciesCreateWithBuffer(
+  var result =  TypedArraySpeciesCreateWithBuffer(
     obj,
     buffer,
     beginByteOffset,
     newLength
   );
+
+  // Taintfox: add taint to the result if the sliced array or any other parameter is tainted
+  if (begin?.taint?.length > 0) {
+    AddTaintOperationToArray(result, "subarray", begin);
+  } else if (end?.taint?.length > 0) {
+    AddTaintOperationToArray(result, "subarray", end);
+  } else if (obj?.taint?.length > 0){
+    AddTaintOperationToArray(result, "subarray", obj);
+  }
+
+  return result;
 }
 
 // https://tc39.es/proposal-relative-indexing-method
@@ -1327,6 +1360,8 @@ function TypedArrayAt(index) {
     return undefined;
   }
 
+  //ReportWasmTaintSink(obj, obj[k]);
+
   // Step 8.
   return obj[k];
 }
@@ -1562,6 +1597,11 @@ function TypedArrayStaticFrom(source, mapfn = undefined, thisArg = undefined) {
           targetObj[k] = source[k];
         }
 
+        // Taintfox: add taint to the result if the source array is tainted
+        if (source?.taint?.length > 0){
+          AddTaintOperationToArray(targetObj, "from", source);
+        }
+
         // Step 7.g.
         return targetObj;
       }
@@ -1578,6 +1618,10 @@ function TypedArrayStaticFrom(source, mapfn = undefined, thisArg = undefined) {
         // Steps 7.a, 7.d-f.
         TypedArrayInitFromPackedArray(targetObj, source);
 
+        if (source?.taint?.length > 0){
+          AddTaintOperationToArray(targetObj, "from", source);
+        }
+
         // Step 7.g.
         return targetObj;
       }
@@ -1611,6 +1655,9 @@ function TypedArrayStaticFrom(source, mapfn = undefined, thisArg = undefined) {
     // the list's start in the loop above. That would introduce unacceptable overhead.
     // Additionally, the loop's logic is simple enough not to require the assert.
 
+    if (source?.taint?.length > 0){
+      AddTaintOperationToArray(targetObj, "from", source);
+    }
     // Step 7.g.
     return targetObj;
   }
@@ -1639,6 +1686,9 @@ function TypedArrayStaticFrom(source, mapfn = undefined, thisArg = undefined) {
 
     // Step 13.e.
     targetObj[k] = mappedValue;
+    if (kValue?.taint?.length > 0){
+      AddTaintOperationToArray(targetObj, "from", kValue);
+    }
   }
 
   // Step 14.
@@ -1664,9 +1714,16 @@ function TypedArrayStaticOf(/*...items*/) {
   // Step 5.
   var newObj = TypedArrayCreateWithLength(C, len);
 
+  var value = null;
+
   // Steps 6-7.
   for (var k = 0; k < len; k++) {
-    newObj[k] = GetArgument(k);
+    value = GetArgument(k);
+    newObj[k] = value;
+    // Taintfox: add taint to the result if any item is tainted
+    if (value?.taint?.length > 0){
+      AddTaintOperationToArray(newObj, "of", value);
+    }
   }
 
   // Step 8.
@@ -1978,6 +2035,11 @@ function TypedArrayToReversed() {
     A[k] = fromValue;
   }
 
+  if (O?.taint?.length > 0){
+    // Taintfox: add taint to the result if the source array is tainted
+    AddTaintOperationToArray(A, "reversed", O);
+  }
+
   // Step 7. Return A.
   return A;
 }