Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[javascript] CWE-020: CodeQL query to detect missing origin validation in cross-origin communication via postMessage #118

Closed
1 task done
dellalibera opened this issue Jun 8, 2020 · 7 comments
Closed
1 task done

[javascript] CWE-020: CodeQL query to detect missing origin validation in cross-origin communication via postMessage #118

dellalibera opened this issue Jun 8, 2020 · 7 comments
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@dellalibera
Copy link

dellalibera commented Jun 8, 2020
edited
Loading

CVE ID(s)

Report

Missing validation of the MessageEvent.origin allows any window to send arbitrary messages to the postMessage handler from any origin.

If the MessageEvent.data is used in some DOM sink and is used in an unsafe way, the missing check of the origin could lead to a DOM-based XSS or other unexpected behaviors.

This query detects if the MessageEvent.origin is checked or if methods like indexOf, startsWith are used to validate the origin.

Link to the now merged PR: PR github/codeql#3646

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
@dellalibera dellalibera added the All For One Submissions to the All for One, One for All bounty label Jun 8, 2020
@xcorail
Copy link
Contributor

xcorail commented Jul 9, 2020

👋🏾 @dellalibera
Can you please send me privately your email address?
Thanks

@dellalibera
Copy link
Author

dellalibera commented Jul 9, 2020
edited
Loading

Hi @xcorail
thanks for the message. I've sent my email address to your GitHub email address.

Cheers

@xcorail
Copy link
Contributor

xcorail commented Jul 9, 2020

Created Hackerone report 920285 for bounty 228297 : [118] [javascript] CWE-020: CodeQL query to detect missing origin validation in cross-origin communication via postMessage 🎉

@xcorail xcorail closed this as completed Jul 9, 2020
@dellalibera
Copy link
Author

Thanks @xcorail for the bounty!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xcorail @dellalibera and others