Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug - next-pwa]: Security issue when analyze with sonarqube #164

Open
gintoki05 opened this issue Nov 14, 2024 · 2 comments
Open

[Bug - next-pwa]: Security issue when analyze with sonarqube #164

gintoki05 opened this issue Nov 14, 2024 · 2 comments
Assignees
@DuCanhGH
Labels
bug Something isn't working next-pwa This is related to next-pwa triage New issues get this label, remove it after triage

Comments

@gintoki05
Copy link

Provide environment information

Next js 14
"@ducanh2912/next-pwa": "^10.2.9",

Link to reproduction - Issues with a link to complete (but minimal) reproduction code help us address them faster

sorry i dont understand this

To reproduce

Deploy with docker to gitlab and auto analyze with sonarqube

Describe the bug

i got an seccurty issue when deploy in gitlab and analyze with sonarqube

Verify the origin of the received message.

and this is why issue appear

Browsers allow message exchanges between Window objects of different origins.

Because any window can send or receive messages from another window, it is important to verify the sender’s/receiver’s identity:

When sending a message with the postMessage method, the identity’s receiver should be defined (the wildcard keyword (*) should not be used).
When receiving a message with a message event, the sender’s identity should be verified using the origin and possibly source properties.
Noncompliant Code Example
When sending a message:

var iframe = document.getElementById("testiframe");
iframe.contentWindow.postMessage("secret", "*"); // Noncompliant: * is used
When receiving a message:

window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property.
console.log(event.data);
});
Compliant Solution
When sending a message:

var iframe = document.getElementById("testsecureiframe");
iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant
When receiving a message:

window.addEventListener("message", function(event) {

if (event.origin !== "http://example.org") // Compliant
return;

console.log(event.data)
});
See
OWASP Top 10 2021 Category A1 - Broken Access Control
OWASP Top 10 2017 Category A2 - Broken Authentication
developer.mozilla.org - postMessage API
MITRE, CWE-345 - Insufficient Verification of Data Authenticity

Expected behavior

no security issue appear in sonarqube

Screenshots (if relevant)

No response

Additional information (if relevant)

No response
@gintoki05 gintoki05 added bug Something isn't working next-pwa This is related to next-pwa triage New issues get this label, remove it after triage labels Nov 14, 2024
@DuCanhGH
Copy link
Owner

DuCanhGH commented Nov 20, 2024
edited
Loading

@gintoki05 not sure if this is related to next-pwa. Where does that code come from? Surely not Workbox, right? Also, those seem to be easy-to-fix errors—just do as it instructs you to.

@gintoki05
Copy link
Author

I think it from workbox, so i move to serwis now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DuCanhGH DuCanhGH

Labels
bug Something isn't working next-pwa This is related to next-pwa triage New issues get this label, remove it after triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gintoki05 @DuCanhGH