taintflow
taintflow copied to clipboard
TaintFlow, a framework for JavaScript dynamic information flow analysis.
We should add some API documentation for all public classes and functions of `taintflow-runtime`.
Implement `taintflow.intercept` to support runtime interception of `AssignmentExpression`s like `+=`. Maybe it's also a good idea to rewrite expressions like `a.b.c += x` to `temp = a.b, temp.c = temp.c...
We should ensure that instrumentation does not change visible behaviour of real-world scripts in browser.
Examples: ```javascript const foo = {}; Reflect.defineProperty(foo, "bar", { get: Flow.tainted(() => "bar"), }); // TypeError: Getter must be a function: [object Object] ``` ```javascript JSON.stringify({foo: Flow.tainted("bar")}); ``` Caveat: if...
For example: ```javascript document.body.innerHTML = Flow.tainted("Hello"); // prints "[Object object]" ``` Related to: #48.
- [ ] Consider removing useless generic parameters like `Object` and `Property` in `MemberExpression`. - [x] Consider simplifying `*Description`. - [ ] Consider adding more methods to `EvaluatedExpression`s (like `typeof`...
We should mark transformed functions in some way to properly identify instrumented functions at runtime, for example, via `Reflection.isInstrumented(function)`. This feature will be useful when deciding if value should remain...
Transormer exports `taintflowed` function which is used only for testing purposes and confusing for user.