Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insufficient postMessage Validation #1164

Closed
burgil opened this issue Nov 29, 2023 · 2 comments
Closed

Insufficient postMessage Validation #1164

burgil opened this issue Nov 29, 2023 · 2 comments

Comments

@burgil
Copy link

burgil commented Nov 29, 2023

Insufficient postMessage Validation

The origin of the received message is not checked. This means any site (even malicious) can send message to this window. If you don't expect this, consider checking the origin of sender.

peerjs.js (line : 4232)

this.dataChannel.addEventListener("message", (e) =>this._handleDataMessage(e));

Fix Analysis

Details

postMessage is a feature to perform cross-origin communication between JavaScript Window objects. This can be done by:

  • The sender using the targetWindow.postMessage(message, targetOrigin) to send a message to the targetWindow but only if the origin in that window matches targetOrigin (or if targetOrigin is set to the special value *);

  • The receiver listening for the message event in the window object.

However, if no validation is done by the receiver, this could allow any window to send arbitrary data to the handler. This vulnerability could be leveraged by an attacker to disclose sensitive data to a malicious origin, or perform actions on a vicitim's behalf.

Example:

          window.addEventListener("message", (event) => {
              // DANGEROUS: No validation of origin
              doStuff(event.data);
          });

Best practices for prevention

  • Adopt a zero-trust model in which all input is considered potentially suspect.
  • Specify the targetOrigin instead of designating a wildcard *.

Example:

window.addEventListener("message", (event) => {
              if (event.origin !== "http://example.org") // SAFE: origin checked
                  return;
          
              console.log(event.data)
          });

References

Introduction to postMessage() Vulnerabilities
@burgil
Copy link
Author

burgil commented Nov 29, 2023

Hi, Is there a way I can use to fix/mute this warning in snyk please?
image

@jonasgloning
Copy link
Member

jonasgloning commented Dec 3, 2023 via email
edited
Loading

@peers peers locked and limited conversation to collaborators Dec 3, 2023
@jonasgloning jonasgloning converted this issue into discussion #1168 Dec 3, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jonasgloning @burgil