Skip to content

🛡️ Sentinel: Fix insecure postMessage wildcard in OAuth2 redirects #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AGI-Corporation wants to merge 4 commits into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: Fix insecure postMessage wildcard in OAuth2 redirects #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a0e04b0
fix(security): restrict postMessage target origin in OAuth2 redirects
google-labs-jules[bot] Mar 6, 2026
f0aaf5b
fix(security): restrict postMessage target origin in OAuth2 redirects
google-labs-jules[bot] Mar 6, 2026
87c9d79
fix(security): restrict postMessage target origin in OAuth2 redirects
google-labs-jules[bot] Mar 6, 2026
665984e
fix(security): restrict postMessage target origin in OAuth2 redirects
google-labs-jules[bot] Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added .jules/sentinel.md
View file
Open in desktop
Empty file.
2 changes: 1 addition & 1 deletion packages/react-ui/src/app/routes/redirect.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ const RedirectPage: React.FC = React.memo(() => {
{
code: code,
},
'*',
window.location.origin,
);
}
}, [location.search]);
Expand Down
3 changes: 2 additions & 1 deletion packages/react-ui/src/lib/oauth2-utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,10 @@ function constructUrl(params: OAuth2PopupParams, pckeChallenge: string) {
function getCode(redirectUrl: string): Promise<string> {
return new Promise<string>((resolve) => {
window.addEventListener('message', function handler(event) {
const expectedOrigin = new URL(redirectUrl).origin;
if (
redirectUrl &&
redirectUrl.startsWith(event.origin) &&
event.origin === expectedOrigin &&
event.data['code']
Comment on lines 76 to 81
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n packages/react-ui/src/lib/oauth2-utils.ts

Repository: AGI-Corporation/Route.X

Length of output: 3309

Add event.source === currentPopup check to bind the message to the correct popup window.

The current code accepts messages from any same-origin window. If multiple OAuth2 flows execute in sequence, a stale popup from the previous flow—or another tab on the same domain—could satisfy the origin check and resolve the promise with an unrelated authorization code. The listener should verify that the message originates from the popup window opened for this specific flow.

Additionally, add defensive property checks for event.data['code'] to avoid unsafe access (replace with typeof event.data === 'object' && event.data !== null && 'code' in event.data).

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packages/react-ui/src/lib/oauth2-utils.ts` around lines 76 - 81, In the
message event handler (the function named handler passed to
window.addEventListener in oauth2-utils.ts) tighten the condition to ensure the
message comes from the specific popup by adding an event.source === currentPopup
check, and replace the unsafe event.data['code'] access with a defensive check
like typeof event.data === 'object' && event.data !== null && 'code' in
event.data; keep the existing redirectUrl and expectedOrigin checks so the full
gating becomes redirectUrl && event.source === currentPopup && event.origin ===
expectedOrigin && typeof event.data === 'object' && event.data !== null &&
'code' in event.data before resolving/consuming the code and removing the
listener.

) {
resolve(decodeURIComponent(event.data.code));
Expand Down
11 changes: 8 additions & 3 deletions packages/server/api/src/app/app.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ import { pieceMetadataServiceHooks } from './pieces/piece-metadata-service/hooks
import { pieceSyncService } from './pieces/piece-sync-service'
import { platformModule } from './platform/platform.module'
import { platformService } from './platform/platform.service'
import { platformUtils } from './platform/platform.utils'
import { projectHooks } from './project/project-hooks'
import { projectModule } from './project/project-module'
import { storeEntryModule } from './store-entry/store-entry.module'
Expand Down Expand Up @@ -250,12 +251,16 @@ export const setupApp = async (app: FastifyInstance): Promise<FastifyInstance> =
return reply.send('The code is missing in url')
}
else {
const platformId = await platformUtils.getPlatformIdForRequest(request)
const targetOrigin = await domainHelper.getPublicUrl({
platformId,
})
return reply
.type('text/html')
.send(
`<script>if(window.opener){window.opener.postMessage({ 'code': '${encodeURIComponent(
params.code,
)}' },'*')}</script> <html>Redirect succuesfully, this window should close now</html>`,
`<script>if(window.opener){window.opener.postMessage(${JSON.stringify({
code: params.code,
})}, ${JSON.stringify(targetOrigin)})}</script> <html>Redirect successfully, this window should close now</html>`,
)
}
},
Expand Down
Loading