Use global.location.host over '*' in global.postMessage #542
Conversation
This addresses a security concern where messages can be intercepted and/or sent to any window that uses '*' as the 2nd parameter (the origin) to postMessage.
|
IIRC initially (before |
|
Thanks!! |
|
Is a CVE going to be obtained for this issue? I can get one assigned if that would help. |
I don't think a CVE is relevant here. All that is contained in the messages that are sent is the numerical counter and the number is then checked against the local So there of course can be bugs, resulting in a DoS or something (if you have a really wild imagination), if a random number comes in over the channel at just just the very right time (a SUPER short timespan), and the function is called too early. But it is meant to be called as soon as possible, so I don't think even that is a concern. This is a solid implementation and I see no way to exploit that. The bigger concern is that for every deferral a listener is added and never removed, so that might be something worth fixing up (by ensuring |
|
I suppose the broadcast would be sending numbers to other websites using other libraries, which can then interpret those numbers in a weird manner, which is definitely a bug, and might cause other apps misbehave, but I'm not sure this can be classified as a security issue - a malicious website can do that in a much easier way without even bothering with |
|
Per Snyk this issue can cause XSS, see https://snyk.io/vuln/SNYK-JS-COREJS-174627. If that's correct, that's a security issue. |
|
@ddillard snyk have amended this and they no longer classify this as a vulnerability:
|
|
@zloirock do you have an eta on deploying 3.0.2? My team is hoping for an estimate. |
Good news! Ok, never mind then! :-) |
|
@tannerlyons it will be 3.1.0. After some days. I have no concrete date since now I have some much more serious problems. |
|
@zloirock Thank you for the update. We'll react accordingly here 😄 |
Our current version is getting rather outdated. Replace by the *legacy* bundle: pdfjs now provides a non-polyfilled version of the library, which is probably faster though it doesn't save overly much (for the entire bundle anyway). Use polyfilled version for safety, though it's unclear whether non-chromium Edge is still supported by Odoo. If not, we could just use the non-polyfilled version. The difference is quite large for pdf.js (+32.5%), however it is much less consequential for the sandbox (+1%) or for the much larger worker (+5.6%). The biggest difference is likely performances but... who knows? Notes: - The main reason for this change is that automated vulnerability scanner have apparently started scanning for `postMessage(..., '*')` and the previous bundles includes a version of corejs polyfills without zloirock/core-js#542), therefore triggering those scans. As the PR notes this is almost certainly not a concern because of the innocuous payload, but there is no reason to waste time on those reports if we don't *have* to. - The bundle now includes "standard fonts", those were removed as they're heavy and may not be necessary for our usage (?). - All the bitmap images were dropped and replaced by svgs, which is nice. - The local changes since the previous update were *not* impacted in this, the entire thing was just reset to upstream. This means changes which were backported (922c7c7, 6943714) are superseded but more odoo-specific changes will have to be reapplied in further commits.
Our current version is getting rather outdated. Replace by the *legacy* bundle: pdfjs now provides a non-polyfilled version of the library, which is probably faster though it doesn't save overly much (for the entire bundle anyway). Use polyfilled version for safety, though it's unclear whether non-chromium Edge is still supported by Odoo. If not, we could just use the non-polyfilled version. The difference is quite large for pdf.js (+32.5%), however it is much less consequential for the sandbox (+1%) or for the much larger worker (+5.6%). The biggest difference is likely performances but... who knows? Notes: - The main reason for this change is that automated vulnerability scanner have apparently started scanning for `postMessage(..., '*')` and the previous bundles includes a version of corejs polyfills without zloirock/core-js#542), therefore triggering those scans. As the PR notes this is almost certainly not a concern because of the innocuous payload, but there is no reason to waste time on those reports if we don't *have* to. - The bundle now includes "standard fonts", those were removed as they're heavy and may not be necessary for our usage (?). - All the bitmap images were dropped and replaced by svgs, which is nice. - The local changes since the previous update were *not* impacted in this, the entire thing was just reset to upstream. This means changes which were backported (922c7c7, 6943714) are superseded but more odoo-specific changes will have to be reapplied in further commits.
Our current version is getting rather outdated. Replace by the *legacy* bundle: pdfjs now provides a non-polyfilled version of the library, which is probably faster though it doesn't save overly much (for the entire bundle anyway). Use polyfilled version for safety, though it's unclear whether non-chromium Edge is still supported by Odoo. If not, we could just use the non-polyfilled version. The difference is quite large for pdf.js (+32.5%), however it is much less consequential for the sandbox (+1%) or for the much larger worker (+5.6%). The biggest difference is likely performances but... who knows? Notes: - The main reason for this change is that automated vulnerability scanner have apparently started scanning for `postMessage(..., '*')` and the previous bundles includes a version of corejs polyfills without zloirock/core-js#542), therefore triggering those scans. As the PR notes this is almost certainly not a concern because of the innocuous payload, but there is no reason to waste time on those reports if we don't *have* to. - The bundle now includes "standard fonts", those were removed as they're heavy and may not be necessary for our usage (?). - All the bitmap images were dropped and replaced by svgs, which is nice. - The local changes since the previous update were *not* impacted in this, the entire thing was just reset to upstream. This means changes which were backported (922c7c7, 6943714) are superseded but more odoo-specific changes will have to be reapplied in further commits. Part-of: #100067
Our current version is getting rather outdated. Replace by the *legacy* bundle: pdfjs now provides a non-polyfilled version of the library, which is probably faster though it doesn't save overly much (for the entire bundle anyway). Use polyfilled version for safety, though it's unclear whether non-chromium Edge is still supported by Odoo. If not, we could just use the non-polyfilled version. The difference is quite large for pdf.js (+32.5%), however it is much less consequential for the sandbox (+1%) or for the much larger worker (+5.6%). The biggest difference is likely performances but... who knows? Notes: - The main reason for this change is that automated vulnerability scanner have apparently started scanning for `postMessage(..., '*')` and the previous bundles includes a version of corejs polyfills without zloirock/core-js#542), therefore triggering those scans. As the PR notes this is almost certainly not a concern because of the innocuous payload, but there is no reason to waste time on those reports if we don't *have* to. - The bundle now includes "standard fonts", those were removed as they're heavy and may not be necessary for our usage (?). - All the bitmap images were dropped and replaced by svgs, which is nice. - Previously local / bespoke changes: - 32c8922 DOM dispatching has been removed, hook into pdfjs's event system - 2d5dd14 seems to be the default now - 74fa91e, re-apply change in default configuration - pdfjs has migrated from lots of its objects / operations being / returning promises, to the result objects containing promises, this has required quite a few adaptations in website_slides closes #100067 Related: odoo/enterprise#31692 Signed-off-by: Xavier Morel (xmo) <xmo@odoo.com>
Our current version is getting rather outdated. Replace by the *legacy* bundle: pdfjs now provides a non-polyfilled version of the library, which is probably faster though it doesn't save overly much (for the entire bundle anyway). Use polyfilled version for safety, though it's unclear whether non-chromium Edge is still supported by Odoo. If not, we could just use the non-polyfilled version. The difference is quite large for pdf.js (+32.5%), however it is much less consequential for the sandbox (+1%) or for the much larger worker (+5.6%). The biggest difference is likely performances but... who knows? Notes: - The main reason for this change is that automated vulnerability scanner have apparently started scanning for `postMessage(..., '*')` and the previous bundles includes a version of corejs polyfills without zloirock/core-js#542), therefore triggering those scans. As the PR notes this is almost certainly not a concern because of the innocuous payload, but there is no reason to waste time on those reports if we don't *have* to. - The bundle now includes "standard fonts", those were removed as they're heavy and may not be necessary for our usage (?). - All the bitmap images were dropped and replaced by svgs, which is nice. - The local changes since the previous update were *not* impacted in this, the entire thing was just reset to upstream. This means changes which were backported (922c7c7, 6943714) are superseded but more odoo-specific changes will have to be reapplied in further commits. Part-of: odoo#100067
This addresses a security concern where messages can be intercepted and/or sent to
any window that uses '*' as the 2nd parameter (the origin) to postMessage.
Per the OWASP HTML5 Security Cheat Sheet:
MDN's docs also state:
I see 2 issues with this PR and would appreciate your feedback:
location.hostmodification to actually reproduce this. This is a good thing for those browsers :)window.locationisn't actually part of the ES3 standard. It's implemented a bit differently in each browser. Since this code branch is only run in browsers that support postMessage, we can assumewindow.location.hostis implemented because it was adopted by major browsers at the time of postMessage. I've not been able to find any great resource proving this, it's mostly from memory which feels bad.The reason this is important for me is that to use this fantastic library in the USA government cloud (aws/azure/etc.), you must adhere to certain security scanners. The scanner has been able to exploit this to pass messages between different hosts. I'm guessing this is not using a major browser, but some other browser with security features turned off. I'm guessing that merging this PR would allow many more people here to use this library.
One last thing: clearly in reading this code there's not REALLY a big vulnerability. a message is posted, and then immediately executed on the next loop, then forgotten. Other windows can really only see the unique id of the deferred function. You can imagine, however, that someone might be able to do something with those, but I cannot think of a reasonable scenario where this would actually affect anything. The biggest concern here is the government scanner.
Thank you for this excellent lib!!!