Playwright (primitaint) hangs with Playwright

[0drai]

When launching Foxhound with Playwright, the program hangs after trying to create a new page.

const fs = require("fs");
const assert = require("assert");

const { firefox } = require("playwright"); // v1.42.1
const foxhoundPath = "foxhound"; // v121.0

assert(fs.existsSync(foxhoundPath), "foxhound is missing");

(async () => {
    const options = { executablePath: foxhoundPath, headless: false };
    const browser = await firefox.launch(options);
    const context = await browser.newContext();
    const page = await context.newPage();
    // XXX: hangs here
    await page.goto("https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345");
    await browser.close();
})();

Output with $ DEBUG=pw:api

pw:api => browserType.launch started +0ms
pw:api <= browserType.launch succeeded +412ms
pw:api => browser.newContext started +1ms
pw:api <= browser.newContext succeeded +32ms
pw:api => browserContext.newPage started +0ms
# hangs 

Log with DEBUG="*browser*"

``` 2024-06-11T06:46:02.933Z pw:browser foxhound -no-remote -wait-for-browser -foreground -profile /tmp/playwright_firefoxdev_profile-XXXXXXRUIGY2 -juggler-pipe -silent 2024-06-11T06:46:02.956Z pw:browser pid=4220 2024-06-11T06:46:03.169Z pw:browser [pid=4220][out] console.warn: services.settings: Ignoring preference override of remote settings server 2024-06-11T06:46:03.169Z pw:browser [pid=4220][out] console.warn: services.settings: Allow by setting MOZ_REMOTE_SETTINGS_DEVTOOLS=1 in the environment 2024-06-11T06:46:03.420Z pw:browser [pid=4220][out] console.error: ({}) 2024-06-11T06:46:03.442Z pw:browser [pid=4220][out] 2024-06-11T06:46:03.443Z pw:browser [pid=4220][out] Juggler listening to the pipe 2024-06-11T06:46:03.480Z pw:browser [pid=4220][out] console.error: "Warning: unrecognized command line flag" "-wait-for-browser" 2024-06-11T06:46:03.531Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=anti-tracking-url-decoration&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:03.531Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=query-stripping&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:03.531Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=fingerprinting-protection-overrides&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:03.735Z pw:browser [pid=4220][out] isTaintedNum!!!! 2024-06-11T06:46:03.735Z pw:browser [pid=4220][out] isTaintedNum!!!! 2024-06-11T06:46:03.735Z pw:browser [pid=4220][out] isTaintedNum!!!! 2024-06-11T06:46:03.735Z pw:browser [pid=4220][out] isTaintedNum!!!! 2024-06-11T06:46:03.852Z pw:browser [pid=4220][err] JavaScript error: chrome://juggler/content/TargetRegistry.js, line 158: Error: Internal error: cannot find context for userContextId=6 2024-06-11T06:46:03.869Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=partitioning-exempt-urls&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.030Z pw:browser [pid=4220][out] isTaintedNum!!!! 2024-06-11T06:46:04.030Z pw:browser [pid=4220][out] isTaintedNum!!!! 2024-06-11T06:46:04.030Z pw:browser [pid=4220][out] console.error: ({}) 2024-06-11T06:46:04.034Z pw:browser [pid=4220][out] isTaintedNum!!!! 2024-06-11T06:46:04.099Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=hijack-blocklists&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.100Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=search-telemetry-v2&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.127Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=search-config&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.205Z pw:browser [pid=4220][err] !!! Tainted flow into element.append from element.attribute !!! 2024-06-11T06:46:04.205Z pw:browser [pid=4220][err] JavaScript warning: chrome://global/content/elements/moz-button-group.mjs, line 77: Tainted flow from element.attribute into element.append! 2024-06-11T06:46:04.205Z pw:browser [pid=4220][err] !!! Tainted flow into element.append from element.attribute !!! 2024-06-11T06:46:04.205Z pw:browser [pid=4220][err] JavaScript warning: chrome://global/content/elements/moz-button-group.mjs, line 77: Tainted flow from element.attribute into element.append! 2024-06-11T06:46:04.205Z pw:browser [pid=4220][err] !!! Tainted flow into element.append from element.attribute !!! 2024-06-11T06:46:04.205Z pw:browser [pid=4220][err] JavaScript warning: chrome://global/content/elements/moz-button-group.mjs, line 77: Tainted flow from element.attribute into element.append! 2024-06-11T06:46:04.205Z pw:browser [pid=4220][err] !!! Tainted flow into element.append from element.attribute !!! 2024-06-11T06:46:04.205Z pw:browser [pid=4220][err] JavaScript warning: chrome://global/content/elements/moz-button-group.mjs, line 77: Tainted flow from element.attribute into element.append! 2024-06-11T06:46:04.214Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=top-sites&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.410Z pw:browser [pid=4220][out] isTaintedNum!!!! 2024-06-11T06:46:04.584Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=message-groups&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.585Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=cfr&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.586Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=message-groups&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.592Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=whats-new-panel&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.756Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=top-sites&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.756Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=top-sites&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.756Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=doh-providers&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.761Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=top-sites&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) 2024-06-11T06:46:04.770Z pw:browser [pid=4220][out] console.error: (new SyntaxError("XMLHttpRequest.open: '/buckets/monitor/collections/changes/changeset?collection=doh-config&bucket=main&_expected=0' is not a valid URL.", (void 0), 133)) ```

OS: Ubuntu 22.04 Foxhound: 121.0 (Primitaint https://github.com/SAP/project-foxhound/commit/49ac4c1d0de60bfbafaf87fa68b9834a6977d0b4) Playwright: 1.42.1 Nodejs: 20.14

[leeN]

I think I found the error. When enabling all logs and comparing them to those with vanilla Firefox, there is a log entry that only occurs for Foxhound:

pw:browser [pid=1605671][err] JavaScript error: chrome://juggler/content/TargetRegistry.js, line 158: Error: Internal error: cannot find context for userContextId=6 +191ms

The underlying issue seems to be the following:

let m = new Map(); 
let nt = Number.tainted(42);
let nu = 42;
m.set(nt, "foo");
m.get(nu)
// undefined 
m.get(nt)
// "foo"

I'll rebuild Foxhound with Juggler and some custom logging enabled to confirm this.

[leeN]

Yeah, the taint status of userContextId is different between usages, causing it to not detect the context.

I'm not overly familiar with the primitaint code. Can you have a look @tmbrbr?

[tmbrbr]

@0drai thanks for your interest in Foxhound!

Just wondering if there is a particular reason you are using the 49ac4c1d0de60bfbafaf87fa68b9834a6977d0b4 commit from the primitaint branch?

The current best one to go for if you want primitive tainting is 3de1744b269f8acfd204954431a5c41dd18cbb7e, but this is still based on an old version of Firefox, which may not build any more due to outdated toolchains.

We are working on integrating primitive tainting into the main branch #211 but not sure on the timeline for this.

[tmbrbr]

If I understand the problem correctly, the underlying issue is setting and getting map members with tainted numbers?

@leeN can we add your code snipped above as a new unit test?

[leeN]

Yes, sure. Do you want to add it or shall I make a pull request to your primitaint-merge branch?

Oh, there seems to be a mixup, the build @0drai is using is the current tip of primitaint-merge, sorry. :)