Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[media] Check origin of messages #1643

Merged
merged 1 commit into from
Sep 26, 2023
Merged

[media] Check origin of messages #1643

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions media/CfgEditor/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ function main() {

// event from vscode extension
window.addEventListener("message", (event) => {
if (window.origin !== event.origin) {
console.log("Unexpected Origin: ", event.origin);
return;
}
const message = event.data;
switch (message.type) {
case "displayCfgToEditor":
Expand Down
4 changes: 4 additions & 0 deletions media/CircleEditor/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,10 @@ host.BrowserHost = class {
});

this.window.addEventListener("message", (event) => {
if (window.origin !== event.origin) {
console.log("Unexpected Origin: ", event.origin);
return;
}
const message = event.data;
switch (message.command) {
case "loadmodel":
Expand Down
4 changes: 4 additions & 0 deletions media/CircleGraph/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,10 @@ host.BrowserHost = class {
});

this.window.addEventListener("message", (event) => {
if (window.origin !== event.origin) {
console.log("Unexpected Origin: ", event.origin);
return;
}
Comment on lines +150 to +153
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@seanshpark I noticed that there is a potential security problem from Verify the origin of the received message.

I assumed that the messages are coming from the window's origin, would it be okay for CircleGraph?

Copy link
Contributor

@seanshpark seanshpark Sep 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about technical background of this, but I think event itself would be coming from vscode process(? or thread?, the node-js).
And not sure about the fix but if this has no problem loading the model, I think it would be OK.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree this changes because this is a similar solution from sonarsource.com.

https://rules.sonarsource.com/javascript/RSPEC-2819/

window.addEventListener("message", function(event) {

  if (event.origin !== "http://example.org") // Compliant
    return;

  console.log(event.data)
});

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jyoungyun I actually referred that solution :-D

const message = event.data;
switch (message.command) {
case "loadmodel":
Expand Down
4 changes: 4 additions & 0 deletions media/Jsontracer/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ const vscode = acquireVsCodeApi();

// event from vscode extension
window.addEventListener("message", (event) => {
if (window.origin !== event.origin) {
console.log("Unexpected Origin: ", event.origin);
return;
}
const message = event.data;
switch (message.type) {
case "load":
Expand Down
4 changes: 4 additions & 0 deletions media/MPQEditor/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ function main() {
register();

window.addEventListener("message", (event) => {
if (window.origin !== event.origin) {
console.log("Unexpected Origin: ", event.origin);
return;
}
const message = event.data;
switch (message.type) {
case "displayMPQ":
Expand Down
4 changes: 4 additions & 0 deletions media/MetadataViewer/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@
let currentConfigType = null;

this.window.addEventListener("message", (event) => {
if (window.origin !== event.origin) {
console.log("Unexpected Origin: ", event.origin);
return;
}
const message = event.data;
switch (message.command) {
case "showMetadata":
Expand Down
4 changes: 4 additions & 0 deletions media/Mondrian/mondrianViewer.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,10 @@

// Handle messages sent from the extension to the webview
window.addEventListener("message", (event) => {
if (window.origin !== event.origin) {
console.log("Unexpected Origin: ", event.origin);
return;
}
const message = event.data; // The json data that the extension sent
switch (message.type) {
case "update": {
Expand Down
4 changes: 4 additions & 0 deletions media/PartEditor/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ editor.Editor = class {

register() {
this.window.addEventListener("message", (event) => {
if (window.origin !== event.origin) {
console.log("Unexpected Origin: ", event.origin);
return;
}
const message = event.data;
switch (message.command) {
case "resultBackends":
Expand Down