Failing Tests for DOMParser

SAP / project-foxhound

A web browser with dynamic data-flow tracking enabled in the Javascript engine and DOM, based on Mozilla Firefox (https://github.com/mozilla/gecko-dev). It can be used to identify insecure data flows or data privacy leaks in client-side web applications.

GNU General Public License v3.0

80 stars 15 forks source link

Failing Tests for DOMParser #194

Closed tmbrbr closed 5 months ago

tmbrbr commented 10 months ago

There are some DOMParser tests which are failing:

./mach test --log-xunit=taint_test_output.xml --headless taint/test/mochitest/test_dom_parser.html

In particular, the XML parser is failing to propagate tainting information:

const tainted_xml_str = "<warning>" + tainted_str + "</warning>";
const doc2 = parser.parseFromString(tainted_xml_str, "application/xml");

check_tainted(doc2.documentElement.textContent);  // Failing!

leeN commented 6 months ago

I have looked into this a bit, and as far as I can see, fixing this is a significant amount of effort. As far as I found, Firefox delegates XML parsing to expat, a third-party library written in C. Now, this is possible to modify to be taint aware, but I am not quite sure whether it is a sensible time investment.

tmbrbr commented 5 months ago

Thanks for looking into this! Given the time investment, I am not sure this is worthwhile unless there is an explicit need for it.

leeN commented 5 months ago

I'll close this as WONTFIX based on our call yesterday. If somebody really wants to do this she can reopen an issue and contribute a PR I suppose :)