From e93f394e6f03f4a291a6d123c8e1042168a13a68 Mon Sep 17 00:00:00 2001 From: Steven Lambert Date: Wed, 5 May 2021 11:08:27 -0600 Subject: [PATCH] fix: do not allow postMessage with axe version of x.y.z --- lib/core/utils/respondable.js | 7 +- test/core/base/audit.js | 41 +++------- test/core/export.js | 2 +- test/core/public/configure.js | 7 +- test/core/public/get-rules.js | 15 ++-- test/core/public/run-rules.js | 9 ++- test/core/utils/respondable.js | 79 +++++++------------- test/mock/frames/responder.html | 2 +- test/mock/frames/results-timeout.html | 2 +- test/mock/frames/send-command-to-parent.html | 20 +++++ test/mock/frames/throwing.html | 2 +- test/version.js | 2 +- 12 files changed, 84 insertions(+), 104 deletions(-) create mode 100644 test/mock/frames/send-command-to-parent.html diff --git a/lib/core/utils/respondable.js b/lib/core/utils/respondable.js index de5b7ae0c5..9b607efce8 100644 --- a/lib/core/utils/respondable.js +++ b/lib/core/utils/respondable.js @@ -45,10 +45,7 @@ var messageSource = _getSource(); return ( // Check the version matches - postedMessage._source === messageSource || - // Allow free communication with axe test - postedMessage._source === 'axeAPI.x.y.z' || - messageSource === 'axeAPI.x.y.z' + postedMessage._source === messageSource ); } return false; @@ -152,7 +149,7 @@ var topic = data.topic; var subscriber = subscribers[topic]; - if (subscriber) { + if (subscriber && source === window.parent) { var responder = createResponder(source, null, data.uuid); subscriber(data.message, keepalive, responder); } diff --git a/test/core/base/audit.js b/test/core/base/audit.js index 95ad440262..160d8edb13 100644 --- a/test/core/base/audit.js +++ b/test/core/base/audit.js @@ -1,6 +1,7 @@ /*global Audit, Rule */ describe('Audit', function() { 'use strict'; + var ver = axe.version.substring(0, axe.version.lastIndexOf('.')); var a, getFlattenedTree; var isNotCalled = function(err) { @@ -117,7 +118,7 @@ describe('Audit', function() { audit._constructHelpUrls(); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/target?application=axeAPI' }); }); it('should use changed branding', function() { @@ -133,7 +134,7 @@ describe('Audit', function() { audit._constructHelpUrls(); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/thing/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/thing/' + ver + '/target?application=axeAPI' }); }); it('should use changed application', function() { @@ -149,7 +150,7 @@ describe('Audit', function() { audit._constructHelpUrls(); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=thing' + 'https://dequeuniversity.com/rules/axe/' + ver + '/target?application=thing' }); }); @@ -161,7 +162,7 @@ describe('Audit', function() { selector: 'bob', metadata: { helpUrl: - 'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI' + 'https://dequeuniversity.com/rules/myproject/' + ver + '/target1?application=axeAPI' } }); audit.addRule({ @@ -172,7 +173,7 @@ describe('Audit', function() { assert.equal( audit.data.rules.target1.helpUrl, - 'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI' + 'https://dequeuniversity.com/rules/myproject/' + ver + '/target1?application=axeAPI' ); assert.isUndefined(audit.data.rules.target2); @@ -182,11 +183,11 @@ describe('Audit', function() { assert.equal( audit.data.rules.target1.helpUrl, - 'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI' + 'https://dequeuniversity.com/rules/myproject/' + ver + '/target1?application=axeAPI' ); assert.equal( audit.data.rules.target2.helpUrl, - 'https://dequeuniversity.com/rules/thing/x.y/target2?application=axeAPI' + 'https://dequeuniversity.com/rules/thing/' + ver + '/target2?application=axeAPI' ); }); it('understands prerelease type version numbers', function() { @@ -207,24 +208,6 @@ describe('Audit', function() { 'https://dequeuniversity.com/rules/axe/3.2/target?application=axeAPI' ); }); - it('sets x.y as version for invalid versions', function() { - var tempVersion = axe.version; - var audit = new Audit(); - audit.addRule({ - id: 'target', - matches: 'function () {return "hello";}', - selector: 'bob' - }); - - axe.version = 'in-3.0-valid'; - audit._constructHelpUrls(); - - axe.version = tempVersion; - assert.equal( - audit.data.rules.target.helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI' - ); - }); it('matches major release versions', function() { var tempVersion = axe.version; var audit = new Audit(); @@ -280,7 +263,7 @@ describe('Audit', function() { }); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=thing' + 'https://dequeuniversity.com/rules/axe/' + ver + '/target?application=thing' }); }); it('should call _constructHelpUrls even when nothing changed', function() { @@ -295,7 +278,7 @@ describe('Audit', function() { audit.setBranding(undefined); assert.deepEqual(audit.data.rules.target, { helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/target?application=axeAPI' }); }); it('should not replace custom set branding', function() { @@ -306,7 +289,7 @@ describe('Audit', function() { selector: 'bob', metadata: { helpUrl: - 'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/customer-x/' + ver + '/target?application=axeAPI' } }); audit.setBranding({ @@ -315,7 +298,7 @@ describe('Audit', function() { }); assert.equal( audit.data.rules.target.helpUrl, - 'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI' + 'https://dequeuniversity.com/rules/customer-x/' + ver + '/target?application=axeAPI' ); }); }); diff --git a/test/core/export.js b/test/core/export.js index 4f0c918ce0..4ce6eab260 100644 --- a/test/core/export.js +++ b/test/core/export.js @@ -5,6 +5,6 @@ describe('export', function() { assert.isDefined(window.axe); }); it('should define version', function() { - assert.equal(axe.version, 'x.y.z'); + assert.isNotNull(axe.version); }); }); diff --git a/test/core/public/configure.js b/test/core/public/configure.js index a87f5628f4..46dcaa134d 100644 --- a/test/core/public/configure.js +++ b/test/core/public/configure.js @@ -2,6 +2,7 @@ describe('axe.configure', function() { 'use strict'; var fixture = document.getElementById('fixture'); + var ver = axe.version.substring(0, axe.version.lastIndexOf('.')); afterEach(function() { fixture.innerHTML = ''; @@ -68,7 +69,7 @@ describe('axe.configure', function() { assert.lengthOf(axe._audit.rules, 1); assert.equal( axe._audit.data.rules.bob.helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/bob?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/bob?application=axeAPI' ); axe.configure({ branding: { @@ -78,7 +79,7 @@ describe('axe.configure', function() { }); assert.equal( axe._audit.data.rules.bob.helpUrl, - 'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing' + 'https://dequeuniversity.com/rules/thung/' + ver + '/bob?application=thing' ); }); @@ -101,7 +102,7 @@ describe('axe.configure', function() { assert.equal( axe._audit.data.rules.bob.helpUrl, - 'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing' + 'https://dequeuniversity.com/rules/thung/' + ver + '/bob?application=thing' ); }); diff --git a/test/core/public/get-rules.js b/test/core/public/get-rules.js index fb834b1c93..984782452f 100644 --- a/test/core/public/get-rules.js +++ b/test/core/public/get-rules.js @@ -1,5 +1,6 @@ describe('axe.getRules', function() { 'use strict'; + var ver = axe.version.substring(0, axe.version.lastIndexOf('.')); beforeEach(function() { axe._load({ @@ -46,7 +47,7 @@ describe('axe.getRules', function() { assert.equal(retValue[0].help, 'halp'); assert.equal( retValue[0].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule1?application=axeAPI' ); assert.deepEqual(retValue[0].tags, ['tag1']); @@ -55,7 +56,7 @@ describe('axe.getRules', function() { assert.equal(retValue[1].help, 'halp me!'); assert.equal( retValue[1].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule2?application=axeAPI' ); assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']); @@ -67,7 +68,7 @@ describe('axe.getRules', function() { assert.equal(retValue[0].help, 'halp me!'); assert.equal( retValue[0].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule2?application=axeAPI' ); assert.deepEqual(retValue[0].tags, ['tag1', 'tag2']); }); @@ -85,7 +86,7 @@ describe('axe.getRules', function() { assert.equal(retValue[0].help, 'halp'); assert.equal( retValue[0].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule1?application=axeAPI' ); assert.deepEqual(retValue[0].tags, ['tag1']); @@ -94,7 +95,7 @@ describe('axe.getRules', function() { assert.equal(retValue[1].help, 'halp me!'); assert.equal( retValue[1].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule2?application=axeAPI' ); assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']); }); @@ -106,7 +107,7 @@ describe('axe.getRules', function() { assert.equal(retValue[0].help, 'halp'); assert.equal( retValue[0].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule1?application=axeAPI' ); assert.deepEqual(retValue[0].tags, ['tag1']); @@ -115,7 +116,7 @@ describe('axe.getRules', function() { assert.equal(retValue[1].help, 'halp me!'); assert.equal( retValue[1].helpUrl, - 'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI' + 'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule2?application=axeAPI' ); assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']); }); diff --git a/test/core/public/run-rules.js b/test/core/public/run-rules.js index 61e0b59f93..f4b2a41e1a 100644 --- a/test/core/public/run-rules.js +++ b/test/core/public/run-rules.js @@ -1,6 +1,7 @@ /*global runRules */ describe('runRules', function() { 'use strict'; + var ver = axe.version.substring(0, axe.version.lastIndexOf('.')); function iframeReady(src, context, id, cb) { var i = document.createElement('iframe'); @@ -198,7 +199,7 @@ describe('runRules', function() { { id: 'div#target', helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI', + 'https://dequeuniversity.com/rules/axe/' + ver +'/div#target?application=axeAPI', pageLevel: false, impact: null, inapplicable: [], @@ -233,7 +234,7 @@ describe('runRules', function() { { id: 'first-div', helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI', + 'https://dequeuniversity.com/rules/axe/' + ver +'/first-div?application=axeAPI', pageLevel: false, impact: null, inapplicable: [], @@ -485,7 +486,7 @@ describe('runRules', function() { { id: 'div#target', helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI', + 'https://dequeuniversity.com/rules/axe/' + ver +'/div#target?application=axeAPI', pageLevel: false, foo: 'bar', stuff: 'blah', @@ -522,7 +523,7 @@ describe('runRules', function() { { id: 'first-div', helpUrl: - 'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI', + 'https://dequeuniversity.com/rules/axe/' + ver +'/first-div?application=axeAPI', pageLevel: false, bar: 'foo', stuff: 'no', diff --git a/test/core/utils/respondable.js b/test/core/utils/respondable.js index 6f1b6a9519..70c2a0ebbc 100644 --- a/test/core/utils/respondable.js +++ b/test/core/utils/respondable.js @@ -6,8 +6,11 @@ describe('axe.utils.respondable', function() { var getMockUUID = function() { return mockUUID; }; + var version; + var fixture = document.querySelector('#fixture'); beforeEach(function() { + version = axe.version; originalUUID = window.uuid.v1; window.uuid.v1 = getMockUUID; mockUUID = originalUUID(); @@ -15,6 +18,8 @@ describe('axe.utils.respondable', function() { afterEach(function() { window.uuid.v1 = originalUUID; + axe.version = version; + fixture.innerHTML = ''; }); it('should be a function', function() { @@ -117,29 +122,7 @@ describe('axe.utils.respondable', function() { event.initEvent('message', true, true); event.data = JSON.stringify({ _respondable: true, - _source: 'axeAPI.2.0.0', - topic: 'Death star', - message: 'Help us Obi-Wan', - uuid: mockUUID - }); - event.source = window; - - axe.utils.respondable(window, 'Death star', null, true, function(data) { - success = true; - assert.equal(data, 'Help us Obi-Wan'); - }); - document.dispatchEvent(event); - assert.isTrue(success); - }); - - it('should allow messages with _source axeAPI.x.y.z', function() { - var success = false; - var event = document.createEvent('Event'); - // Define that the event name is 'build'. - event.initEvent('message', true, true); - event.data = JSON.stringify({ - _respondable: true, - _source: 'axeAPI.x.y.z', + _source: 'axeAPI.' + axe.version, topic: 'Death star', message: 'Help us Obi-Wan', uuid: mockUUID @@ -154,35 +137,10 @@ describe('axe.utils.respondable', function() { assert.isTrue(success); }); - it('should allow messages if the axe version is x.y.z', function() { - var success = false; - var event = document.createEvent('Event'); - var v = axe.version; - axe.version = 'x.y.z'; - // Define that the event name is 'build'. - event.initEvent('message', true, true); - event.data = JSON.stringify({ - _respondable: true, - _source: 'axeAPI.2.0.0', - topic: 'Death star', - message: 'Help us Obi-Wan', - uuid: mockUUID - }); - event.source = window; - - axe.utils.respondable(window, 'Death star', null, true, function(data) { - success = true; - assert.equal(data, 'Help us Obi-Wan'); - }); - document.dispatchEvent(event); - assert.isTrue(success); - axe.version = v; - }); it('should reject messages if the axe version is different', function() { var success = true; var event = document.createEvent('Event'); - var v = axe.version; axe.version = '1.0.0'; // Define that the event name is 'build'. event.initEvent('message', true, true); @@ -200,7 +158,6 @@ describe('axe.utils.respondable', function() { }); document.dispatchEvent(event); assert.isTrue(success); - axe.version = v; }); it('should reject messages that are that are not strings', function() { @@ -307,7 +264,7 @@ describe('axe.utils.respondable', function() { event.initEvent('message', true, true); event.data = JSON.stringify({ _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, topic: 'Death star', error: { name: 'ReferenceError', @@ -336,7 +293,7 @@ describe('axe.utils.respondable', function() { event.initEvent('message', true, true); event.data = JSON.stringify({ _respondable: true, - _source: 'axeAPI.2.0.0', + _source: 'axeAPI.' + axe.version, topic: 'Death star', error: { name: 'evil', @@ -500,5 +457,25 @@ describe('axe.utils.respondable', function() { } }); }); + + it('does not run if the command did not come from the parent iframe', function(done) { + var published = false; + axe.utils.respondable.subscribe('catman', function () { + published = true; + }); + + var frame = document.createElement('iframe'); + frame.addEventListener('load', function () { + axe._tree = axe.utils.getFlattenedTree(document.documentElement); + setTimeout(function () { + assert.ok(!published, 'Subscriber should not be called'); + done(); + }, 10); + }); + + frame.id = 'level0'; + frame.src = '../mock/frames/send-command-to-parent.html'; + fixture.appendChild(frame); + }); }); }); diff --git a/test/mock/frames/responder.html b/test/mock/frames/responder.html index 6b1d4b14b0..93e37bf37f 100644 --- a/test/mock/frames/responder.html +++ b/test/mock/frames/responder.html @@ -8,7 +8,7 @@ diff --git a/test/mock/frames/results-timeout.html b/test/mock/frames/results-timeout.html index 948bbabfff..829971cbcf 100644 --- a/test/mock/frames/results-timeout.html +++ b/test/mock/frames/results-timeout.html @@ -8,7 +8,7 @@ diff --git a/test/mock/frames/send-command-to-parent.html b/test/mock/frames/send-command-to-parent.html new file mode 100644 index 0000000000..6263627949 --- /dev/null +++ b/test/mock/frames/send-command-to-parent.html @@ -0,0 +1,20 @@ + + + + Double responding frame + + + + + + + + + diff --git a/test/mock/frames/throwing.html b/test/mock/frames/throwing.html index bc64ba2cb3..c14cea6242 100644 --- a/test/mock/frames/throwing.html +++ b/test/mock/frames/throwing.html @@ -8,7 +8,7 @@ diff --git a/test/version.js b/test/version.js index 290b8dcd29..91dc3a2ce3 100644 --- a/test/version.js +++ b/test/version.js @@ -2,4 +2,4 @@ // This enables free communication between frames with // to the current version of axe: -axe.version = 'x.y.z'; +axe.version = '3.1.2';