Avoid Cross Site Scripting Vectors To/From the Simulator Iframe (microsoft#7473)

aznhassan · web-flow · commit da225d75caba · 2020-09-28T12:53:50.000-07:00
* Check the origin of MessageEvents in the SimulatorDriver

* Move origin check into a helper function

* Move helper function into runtime.ts

* Have the embedded frame check the origin of th received message

* Use the simUrl when posting messages to the sim iframe

* Use the simUrl when creating or receiving messages from the sim iframe

* Add logging to messageOriginExpected

* Using * when posting to the sim iframe when running on local host

* Don't use the simUrl when posting messages to the parent window

* Use the SimDriver's origin when passing messages onto the parent window

* Don't test the origin in the simulator iframe

* Check only the main domain when receiving messages from the sim

* Include the SimDriver origin when loading a sim iframe

* Add more logging

* Use the parent origin when sending messages to the sim driver's parent window

* Only set the parent origin on the sim driver when it has a parent window

* Allow message from the sim domain, the current origin, and the given parent window's origin

* Include the parent origin in the streamer page so editors can send/receive message from the parent origin.

* Remove extra logging

* Remove the parent origin from the simulator search params

When we decide to check the origin of received messages in the simulator,
as well as when we post messages back to the simulator frame's parent window,
then we'll should put this back. That way, we'll be able to do something with
it, vs leaving it and having it do nothing.

* Remove empty line change from embed.ts

* Encode and decode the parentOrigin URI

* Use !== not != when checking the port and protocol of the given origin

* Don't include | null in type since strict null checking is disabled

* Use the current origin when sending messages to dependant editors

* Use a set of expected origins in the SimulatorDriver

* Minor fixes found in PR comments

* Remove use of pxt.reportException in the pxtsim

This is mostly due to size considerations as including the pxtlib
in pxtsim will increase the file size. Perhaps the analytics portion
of the lib can split out of pxtlib so other parts of the project that
want to use it can.

* Use an array instead of a Set for the expected origins
diff --git a/docs/multi.html b/docs/multi.html
@@ -78,7 +78,7 @@
             var selectRight = document.getElementById("selectright");
             var divider = document.getElementById("divider");
             var localhost = /localhost=1/.test(window.location.href)
-            var flags = "?nestededitorsim=1&editorlayout=ide&nosandbox=1";
+            var flags = "?nestededitorsim=1&editorlayout=ide&nosandbox=1&parentOrigin=" + encodeURIComponent(window.location.origin);
             var ratio = .5;
             var dividerWidth = 14;
 
@@ -167,7 +167,7 @@
 
             setWidths();
             handleHash();
-        })();        
+        })();
     </script>
     <!-- @include tracking.html -->
 </body>
diff --git a/docs/static/streamer/script.js b/docs/static/streamer/script.js
@@ -730,7 +730,7 @@ function onYouTubeIframeAPIReady() {
             loadStyle();
             return;
         }
-        let url = `${editorConfig.url}?editorLayout=ide&nosandbox=1`;
+        let url = `${editorConfig.url}?editorLayout=ide&nosandbox=1&parentOrigin=${encodeURIComponent(window.location.origin)}`;
         if (config.multiEditor)
             url += `&nestededitorsim=1`;
         if (hash)
diff --git a/docs/static/streamer/streamer.ts b/docs/static/streamer/streamer.ts
@@ -876,7 +876,7 @@ function onYouTubeIframeAPIReady() {
             return;
         }
 
-        let url = `${editorConfig.url}?editorLayout=ide&nosandbox=1`;
+        let url = `${editorConfig.url}?editorLayout=ide&nosandbox=1&parentOrigin=${encodeURIComponent(window.location.origin)}`;
         if (config.multiEditor)
             url += `&nestededitorsim=1`;
         if (hash)
diff --git a/pxtsim/simdriver.ts b/pxtsim/simdriver.ts
@@ -18,6 +18,7 @@ namespace pxsim {
         // instead of spanning multiple simulators,
         // dispatch messages to parent window
         nestedEditorSim?: boolean;
+        parentOrigin?: string
     }
 
     export enum SimulatorState {
@@ -76,12 +77,23 @@ namespace pxsim {
         public state = SimulatorState.Unloaded;
         public hwdbg: HwDebugger;
         private _dependentEditors: Window[];
+        private _allowedOrigins: string[] = [];
 
         // we might "loan" a simulator when the user is recording
         // screenshots for sharing
         private loanedSimulator: HTMLDivElement;
 
         constructor(public container: HTMLElement, public options: SimulatorDriverOptions = {}) {
+            this._allowedOrigins.push(window.location.origin);
+            if (options.parentOrigin) {
+                this._allowedOrigins.push(options.parentOrigin)
+            }
+            try {
+                const simUrl = new URL(this.getSimUrl())
+                this._allowedOrigins.push(simUrl.origin)
+            } catch (e) {
+                console.error(`Invalid sim url ${this.getSimUrl()}`)
+            }
         }
 
         isDebug() {
@@ -246,6 +258,10 @@ namespace pxsim {
             return frames;
         }
 
+        private getSimUrl(): string {
+            return this.options.simUrl || ((window as any).pxtConfig || {}).simUrl || "/sim/simulator.html"
+        }
+
         public postMessage(msg: pxsim.SimulatorMessage, source?: Window) {
             if (this.hwdbg) {
                 this.hwdbg.postMessage(msg)
@@ -255,19 +271,23 @@ namespace pxsim {
             const broadcastmsg = msg as pxsim.SimulatorBroadcastMessage;
             const depEditors = this.dependentEditors();
             let frames = this.simFrames();
+            const simUrl = U.isLocalHost() ? "*" : this.getSimUrl();
             if (source && broadcastmsg && !!broadcastmsg.broadcast) {
                 // the editor is hosted in a multi-editor setting
                 // don't start extra frames
                 const parentWindow = window.parent && window.parent !== window.window
                     ? window.parent : window.opener;
                 if (this.options.nestedEditorSim && parentWindow) {
                     // if message comes from parent already, don't echo
-                    if (source !== parentWindow)
-                        parentWindow.postMessage(msg, "*");
+                    if (source !== parentWindow) {
+                        const parentOrigin = this.options.parentOrigin || window.location.origin
+                        parentWindow.postMessage(msg, parentOrigin);
+                    }
                 } else if (depEditors) {
                     depEditors.forEach(w => {
                         if (source !== w)
-                            w.postMessage(msg, "*")
+                            // dependant editors should be in the same origin
+                            w.postMessage(msg, window.location.origin)
                     });
                 } else {
                     // start secondary frame if needed
@@ -288,7 +308,7 @@ namespace pxsim {
                 // frame not in DOM
                 if (!frame.contentWindow) continue;
 
-                frame.contentWindow.postMessage(msg, "*");
+                frame.contentWindow.postMessage(msg, simUrl);
 
                 // don't start more than 1 recorder
                 if (msg.type == 'recorder'
@@ -307,9 +327,8 @@ namespace pxsim {
             frame.allowFullscreen = true;
             frame.setAttribute('allow', 'autoplay');
             frame.setAttribute('sandbox', 'allow-same-origin allow-scripts');
-            let simUrl = this.options.simUrl || ((window as any).pxtConfig || {}).simUrl || "/sim/simulator.html"
             frame.className = 'no-select'
-            frame.src = simUrl + '#' + frame.id;
+            frame.src = this.getSimUrl() + '#' + frame.id;
             frame.frameBorder = "0";
             frame.dataset['runid'] = this.runId;
 
@@ -601,6 +620,12 @@ namespace pxsim {
             if (!this.listener) {
                 this.listener = (ev: MessageEvent) => {
                     if (this.hwdbg) return
+
+                    if (U.isLocalHost()) {
+                        // no-op
+                    } else {
+                        if (!this._allowedOrigins.find(origin => origin === ev.origin)) return
+                    }
                     this.handleMessage(ev.data, ev.source as Window)
                 }
                 window.addEventListener('message', this.listener, false);
diff --git a/webapp/public/multi.html b/webapp/public/multi.html
@@ -53,7 +53,7 @@
             var divider = document.getElementById("divider");
             var localhost = window.location.hostname == "localhost";
             var editor = (pxtConfig ? pxtConfig.relprefix : '/').replace(/-*$/, '');
-            var flags = "?nestededitorsim=1&editorlayout=ide&nosandbox=1";
+            var flags = "?nestededitorsim=1&editorlayout=ide&nosandbox=1&parentOrigin=" + encodeURIComponent(window.location.origin);
             var ratio = .5;
             var dividerWidth = 14;
 
@@ -136,7 +136,7 @@
             }
             setWidths();
             handleHash();
-        })();        
+        })();
     </script>
     <!-- @include tracking.html -->
 </body>
diff --git a/webapp/src/simulator.ts b/webapp/src/simulator.ts
@@ -45,6 +45,21 @@ export function init(root: HTMLElement, cfg: SimulatorConfig) {
     root.appendChild(debuggerDiv);
 
     const nestedEditorSim = /nestededitorsim=1/i.test(window.location.href);
+    let parentOrigin: string = null;
+    if (window.parent !== window) {
+        const searchParams = new URLSearchParams(window.location.search);
+        const origin = searchParams.get("parentOrigin")
+
+        // validate the URI
+        if (!!origin) {
+            try {
+                const originUrl = new URL(origin);
+                parentOrigin = originUrl.origin
+            } catch (e) {
+                console.error(`Invalid parent origin: ${origin}`)
+            }
+        }
+    }
 
     let options: pxsim.SimulatorDriverOptions = {
         restart: () => cfg.restartSimulator(),
@@ -219,7 +234,8 @@ export function init(root: HTMLElement, cfg: SimulatorConfig) {
         },
         stoppedClass: pxt.appTarget.simulator && pxt.appTarget.simulator.stoppedClass,
         invalidatedClass: pxt.appTarget.simulator && pxt.appTarget.simulator.invalidatedClass,
-        nestedEditorSim: nestedEditorSim
+        nestedEditorSim: nestedEditorSim,
+        parentOrigin: parentOrigin
     };
     driver = new pxsim.SimulatorDriver(document.getElementById('simulators'), options);
     config = cfg

Original file line number	Diff line number	Diff line change
`@@ -730,7 +730,7 @@ function onYouTubeIframeAPIReady() {`
`730`	`730`	`loadStyle();`
`731`	`731`	`return;`
`732`	`732`	`}`
`733`		- let url = `${editorConfig.url}?editorLayout=ide&nosandbox=1`;
	`733`	+ let url = `${editorConfig.url}?editorLayout=ide&nosandbox=1&parentOrigin=${encodeURIComponent(window.location.origin)}`;
`734`	`734`	`if (config.multiEditor)`
`735`	`735`	url += `&nestededitorsim=1`;
`736`	`736`	`if (hash)`
Original file line number	Diff line number	Diff line change
`@@ -876,7 +876,7 @@ function onYouTubeIframeAPIReady() {`
`876`	`876`	`return;`
`877`	`877`	`}`
`878`	`878`
`879`		- let url = `${editorConfig.url}?editorLayout=ide&nosandbox=1`;
	`879`	+ let url = `${editorConfig.url}?editorLayout=ide&nosandbox=1&parentOrigin=${encodeURIComponent(window.location.origin)}`;
`880`	`880`	`if (config.multiEditor)`
`881`	`881`	url += `&nestededitorsim=1`;
`882`	`882`	`if (hash)`