Thread: How to deal with taint issues?
View Single Post
05-24-20, 09:03 AM   #5
MunkDev
A Scalebane Royal Guard
 
MunkDev's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2015
Posts: 431
Taint is pretty easy to understand, but these forums make it complicated by saying "you can't trust the logs". What you basically need to do is look for any piece of code that modifies existing Blizzard code without using provided widget API. The problem with taint is generally that you replace methods or variables used in secure scopes, or that you call a method/function that has side effects.

What you can't safely do:
Lua Code:
  1. -- this can spread taint if the method has side effects,
  2. -- such as modifying a table or variable which can be accessed by secure code
  3. SomeBlizzardFrame:MethodImplementedInLua(...);
  4. -- this will taint a key in the table SomeBlizzardFrame,
  5. -- because you modified it from insecure code
  6. SomeBlizzardFrame.someTableKeyUsedByBlizzard = someValue;
  7.  
  8. -- this is a bad way of hooking/replacing a method.
  9. -- the only way to do it correctly is to use hooksecurefunc
  10. local oldFunction = SomeBlizzardFrame.FunctionYouWantToHook;
  11. function SomeBlizzardFrame:FunctionYouWantToHook(...)
  12.     -- do something new
  13.     oldFunction(self, ...);
  14. end
  15.  
  16. -- this variable is now tainted, and if it's accessed by secure code,
  17. -- the entire execution path thereafter will also be tainted
  18. A_BLIZZARD_GLOBAL_USED_SOMEWHERE = someValue;

The issue with calling existing methods implemented in pure Lua (if you can find the function definition in the Lua source code, it's risky to call it) can be a bit obscure, but I'll show you an example. Let's say you have a function like this:
Lua Code:
  1. function SomeBlizzardFrame:MethodImplementedInLua(...)
  2.     -- function does a bunch of things, but at the end...
  3.     self.update = true;
  4. end
The last line there will taint the frame if YOU call it, but not if Blizzard calls it. This is a side effect, meaning that the function does not only affect the data you send to it, but also some data that persists after the function call. Generally, methods like this that add things to datasets, or stores them somewhere using a normal table, will spread your taint.

Blizzard has workarounds for some things that addons need to be able to access, and in that case you will find Blizzard using securecall to wrap the function call in a secure closure (meaning taint will not affect the outcome), or the opposite forceinsecure to say "we don't know this next bit of code is going to be safe".

The reason you get a weird reference to something you haven't even touched, is that you touched the code somewhere BEFORE that line was executed, which is when the tainted execution path was discovered. You can't trust the log in that sense, but tracing back from where the error occurred will lead to where you modified something that eventually carried taint to the breaking point.

As a rule of thumb, it's easier to look for places where you used/modified existing code indiscriminately, than it is to follow the stack trace from a taint error.
__________________
Last edited by MunkDev : 09-20-20 at 04:30 PM.
  Reply With Quote