tainted flag is not propagated through RegExp.source()

[dmitris]

The tainted flag is not propagated through RegExp.source() method:

var s = new StringTainted("foo");  // "foo" is the attack payload
s.tainted;  // true
var re = new RegExp('/' + s + '/', 'g');
var src = re.source(); // "\/foo\/" - the attack payload inside
src.tainted; // false, should be true

Let me know if you consider this a valid case, I can add it to the tainttests/unit_tests.js

[wisec]

I think you actually got a partial bug in the taint prop in regexp.source, but before accepting it, let me give you a couple of working examples: First, in order to make it work I have to rewrite it .

Then the following example works as expected:

var s = String.newTainted("foo","source");  // "foo" is the attack payload
s.tainted;  // true
var re = new RegExp( s , 'g');
var src = re.source; // "foo" - the attack payload inside
src.tainted;

if you check, src.tainted is true. On the other side, I think I missed a propagation here. Only in case you add '/' or another char that needs to be escaped, SpiderMonkey actually rewrites the string and loose the tainting. js/src/jsregexp.cpp EscapeNakedForwardSlashes should be the place. I'll look better into that.