Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add origin check to events #7933

Closed
C0rby opened this issue Nov 7, 2022 · 1 comment · Fixed by #7941
Closed

Add origin check to events #7933

C0rby opened this issue Nov 7, 2022 · 1 comment · Fixed by #7941
Assignees
@JammingBen
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Severity:sev4-low no loss of service, req. for docs info or enhancement Topic:Security Pull requests that address a security vulnerability

Comments

@C0rby
Copy link
Contributor

C0rby commented Nov 7, 2022

This event listener should check the event's origin.

web/packages/web-app-draw-io/src/App.vue

Lines 75 to 93 in 37e83b0

window.addEventListener('message', (event) => {
if (event.data.length > 0) {
const payload = JSON.parse(event.data)
switch (payload.event) {
case 'init':
this.fileExtension === 'vsdx' ? this.importVisio() : this.load()
break
case 'autosave':
this.save(payload, true)
break
case 'save':
this.save(payload)
break
case 'exit':
this.exit()
break
}
}
})

And these lines should contain the target origin:

web/packages/web-app-draw-io/src/App.vue

Line 118 in 37e83b0

'*'

web/packages/web-app-draw-io/src/App.vue

Line 145 in 37e83b0

'*'

web/packages/web-app-draw-io/src/App.vue

Line 186 in 37e83b0

'*'

web/packages/web-app-draw-io/src/App.vue

Line 211 in 37e83b0

'*'

See this for more information: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#security_concerns
If you want a demo of a poc exploit, just ping me. :)
@C0rby C0rby added Topic:Security Pull requests that address a security vulnerability Severity:sev4-low no loss of service, req. for docs info or enhancement labels Nov 7, 2022
@kulmann kulmann added the Priority:p3-medium Normal priority label Nov 8, 2022
@kulmann kulmann added Priority:p2-high Escalation, on top of current planning, release blocker and removed Priority:p3-medium Normal priority labels Nov 8, 2022
@JammingBen JammingBen self-assigned this Nov 9, 2022
@JammingBen JammingBen mentioned this issue Nov 9, 2022
Merged
6 tasks
@JammingBen
Copy link
Contributor

This has been fixed via #7941 in the stable-6.0 branch. Will come to master soon.

@kulmann kulmann moved this to Done in Web Support Board Jun 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JammingBen JammingBen

Labels
Priority:p2-high Escalation, on top of current planning, release blocker Severity:sev4-low no loss of service, req. for docs info or enhancement Topic:Security Pull requests that address a security vulnerability
Projects
Infinite Scale Team Board
Archived in project
Web Support Board
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add origin checks to all Draw.io events owncloud/web
3 participants
@kulmann @C0rby @JammingBen