asf-tooling opened a new issue, #1016:
URL: https://github.com/apache/tooling-trusted-releases/issues/1016
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
No frontend JavaScript code was provided for audit. The postMessage API is a
client-side browser API that must be validated in JavaScript code. The provided
files are exclusively server-side Python (Quart/Flask framework). The
template_folder parameter confirms HTML templates exist but were not provided
for review. These templates and any associated JavaScript files are where
postMessage handlers would reside. If the application uses postMessage without
origin validation, an attacker could send crafted messages from a malicious
page to manipulate application state, exfiltrate sensitive data, bypass
authentication/authorization flows, or execute XSS-equivalent attacks.
### Details
Affected locations (templates not provided in audit):
- `atr/blueprints/admin.py` line 27: template_folder parameter
- `src/asfquart/generics.py`: OAuth templates
- `atr/blueprints/api.py`: API templates
- `atr/api/__init__.py`: API endpoint templates
The audit cannot verify postMessage security without access to frontend
JavaScript code.
### Recommended Remediation
The frontend JavaScript codebase must be audited. Any postMessage listener
should follow this pattern:
1. Validate origin against explicit allowlist (event.origin check)
2. Validate message syntax (try/catch parsing)
3. Validate expected structure/schema (type/structure checks)
4. Discard untrusted messages (early return)
5. Never use wildcard origins in postMessage() calls
```javascript
window.addEventListener('message', function(event) {
const TRUSTED_ORIGINS = ['https://your-app.apache.org'];
if (!TRUSTED_ORIGINS.includes(event.origin)) {
console.warn('Rejected postMessage from untrusted origin:',
event.origin);
return;
}
let data;
try {
data = JSON.parse(event.data);
} catch (e) {
console.error('Invalid postMessage syntax');
return;
}
// Validate expected structure
if (typeof data.action !== 'string' || !isValidAction(data.action)) {
return;
}
handleTrustedMessage(data);
});
```
### Acceptance Criteria
- [ ] Frontend JavaScript code is audited for postMessage usage
- [ ] All postMessage listeners validate origin
- [ ] Message structure is validated before processing
- [ ] Wildcard origins are not used
- [ ] Test cases verify origin validation
### References
- Source reports: L2:3.5.5.md
- Related findings: None
- ASVS sections: 3.5.5
### Priority
Medium
---
---
**Triage notes:** @andrewmusselman check skip lists for .js and .ts
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
