From f849f97299015a61e1ba7fd39bad3e638818c9f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomislav=20Hora=C4=8Dek?= <tomislav@tt-media.hr>
Date: Fri, 19 Apr 2024 16:21:26 +0200
Subject: [PATCH] fix(extension): LW-10206 fix trezor security vulnerabilities
 (#1023)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(extension): fix trezor security vulnerabilities

* fix(extension): add missing types

---------

Co-authored-by: Szymon Masłowski <szymon.maslowski@iohk.io>
---
 .../src/lib/scripts/trezor/trezor-content-script.ts   |  2 ++
 .../src/lib/scripts/trezor/trezor-usb-permissions.ts  | 11 +++++------
 .../src/lib/scripts/trezor/types.ts                   |  4 ++++
 3 files changed, 11 insertions(+), 6 deletions(-)
 create mode 100644 apps/browser-extension-wallet/src/lib/scripts/trezor/types.ts

diff --git a/apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-content-script.ts b/apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-content-script.ts
index 523adc068..54ce65a6c 100644
--- a/apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-content-script.ts
+++ b/apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-content-script.ts
@@ -1,4 +1,5 @@
 import { runtime } from 'webextension-polyfill';
+import { AllowedOrigins } from './types';
 
 // Communicate from background script to popup
 let port = runtime.connect({ name: 'trezor-connect' });
@@ -12,6 +13,7 @@ port.onDisconnect.addListener(() => {
 
 // communicate from popup to background script
 window.addEventListener('message', (event) => {
+  if (event.origin !== AllowedOrigins.TREZOR_CONNECT) throw new Error('Origin not allowed');
   if (port && event.source === window && event.data) {
     port.postMessage({ data: event.data });
   }
diff --git a/apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-usb-permissions.ts b/apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-usb-permissions.ts
index 4fbfff55e..06423a09f 100644
--- a/apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-usb-permissions.ts
+++ b/apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-usb-permissions.ts
@@ -1,8 +1,5 @@
 import { runtime, tabs } from 'webextension-polyfill';
-
-// Handling messages from usb permissions iframe
-
-const url = 'https://connect.trezor.io/8/';
+import { AllowedOrigins } from './types';
 
 /* Handling messages from usb permissions iframe */
 const switchToPopupTab = async (event?: BeforeUnloadEvent) => {
@@ -21,13 +18,15 @@ const switchToPopupTab = async (event?: BeforeUnloadEvent) => {
 
   // find tab by popup pattern and switch to it
   const currentTabs = await tabs.query({
-    url: `${url}popup.html`
+    url: `${AllowedOrigins.TREZOR_CONNECT_POPUP_BASE_URL}/popup.html`
   });
   if (currentTabs.length < 0) return;
   tabs.update(currentTabs[0].id, { active: true });
 };
 
 window.addEventListener('message', async (event) => {
+  if (event.origin !== AllowedOrigins.TREZOR_CONNECT) throw new Error('Origin not allowed');
+
   if (event.data === 'usb-permissions-init') {
     const iframe = document.querySelector('#trezor-usb-permissions');
     if (!iframe || !(iframe instanceof HTMLIFrameElement)) {
@@ -55,7 +54,7 @@ window.addEventListener('load', () => {
   instance.style.border = '0px';
   instance.style.width = '100%';
   instance.style.height = '100%';
-  instance.setAttribute('src', `${url}extension-permissions.html`);
+  instance.setAttribute('src', `${AllowedOrigins.TREZOR_CONNECT_POPUP_BASE_URL}/extension-permissions.html`);
   instance.setAttribute('allow', 'usb');
 
   if (document.body) {
diff --git a/apps/browser-extension-wallet/src/lib/scripts/trezor/types.ts b/apps/browser-extension-wallet/src/lib/scripts/trezor/types.ts
new file mode 100644
index 000000000..e4690c226
--- /dev/null
+++ b/apps/browser-extension-wallet/src/lib/scripts/trezor/types.ts
@@ -0,0 +1,4 @@
+export enum AllowedOrigins {
+  TREZOR_CONNECT = 'https://connect.trezor.io',
+  TREZOR_CONNECT_POPUP_BASE_URL = 'https://connect.trezor.io/8'
+}