From 1333df9ffb40d0e58646433ee923bb2ed4a44109 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sat, 7 Mar 2026 08:48:17 +0000 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]?= =?UTF-8?q?=20Harden=20OAuth=20postMessage=20security?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restrict target origin for postMessage in OAuth redirect handlers on both server and client. - Replace insecure `startsWith` origin validation with strict equality check of the derived origin. - Add safety checks for URL parsing to prevent potential crashes. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> --- packages/react-ui/src/app/routes/redirect.tsx | 2 +- packages/react-ui/src/lib/oauth2-utils.ts | 14 +++++++++++--- packages/server/api/src/app/app.ts | 3 ++- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/packages/react-ui/src/app/routes/redirect.tsx b/packages/react-ui/src/app/routes/redirect.tsx index 0d7ccb0ed7..74db8bfcd4 100644 --- a/packages/react-ui/src/app/routes/redirect.tsx +++ b/packages/react-ui/src/app/routes/redirect.tsx @@ -13,7 +13,7 @@ const RedirectPage: React.FC = React.memo(() => { { code: code, }, - '*', + window.location.origin, ); } }, [location.search]); diff --git a/packages/react-ui/src/lib/oauth2-utils.ts b/packages/react-ui/src/lib/oauth2-utils.ts index 7b9ca004e9..8563a8173e 100644 --- a/packages/react-ui/src/lib/oauth2-utils.ts +++ b/packages/react-ui/src/lib/oauth2-utils.ts @@ -71,12 +71,20 @@ function constructUrl(params: OAuth2PopupParams, pckeChallenge: string) { return url.toString(); } -function getCode(redirectUrl: string): Promise { +function getCode(redirectUrl: string | undefined): Promise { return new Promise((resolve) => { window.addEventListener('message', function handler(event) { + if (!redirectUrl) { + return; + } + let origin; + try { + origin = new URL(redirectUrl).origin; + } catch (e) { + return; + } if ( - redirectUrl && - redirectUrl.startsWith(event.origin) && + origin === event.origin && event.data['code'] ) { resolve(decodeURIComponent(event.data.code)); diff --git a/packages/server/api/src/app/app.ts b/packages/server/api/src/app/app.ts index 671220419f..f5823c0446 100644 --- a/packages/server/api/src/app/app.ts +++ b/packages/server/api/src/app/app.ts @@ -250,12 +250,13 @@ export const setupApp = async (app: FastifyInstance): Promise = return reply.send('The code is missing in url') } else { + const origin = await domainHelper.getPublicUrl({}) return reply .type('text/html') .send( ` Redirect succuesfully, this window should close now`, + )}' }, '${origin}')} Redirect succuesfully, this window should close now`, ) } }, From 340aac363f7c20d3dbf919ed1a65c4faae6552f2 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sat, 7 Mar 2026 08:55:48 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]?= =?UTF-8?q?=20Harden=20OAuth=20postMessage=20security?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restrict target origin for postMessage in OAuth redirect handlers on both server and client. - Replace insecure `startsWith` origin validation with strict equality check of the derived origin. - Add safety checks for URL parsing to prevent potential crashes. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> From 8635de7a9482488e859ab447fd7314d0559e9e62 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sat, 7 Mar 2026 08:58:49 +0000 Subject: [PATCH 3/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]?= =?UTF-8?q?=20Harden=20OAuth=20postMessage=20security=20and=20add=20securi?= =?UTF-8?q?ty=20journal?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restrict target origin for postMessage in OAuth redirect handlers. - Replace insecure `startsWith` origin validation with strict equality. - Add safety checks for URL parsing. - Add sentinel security journal entry. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000000..372e0aeb66 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2026-03-01 - [OAuth postMessage Origin Hardening] +**Vulnerability:** Insecure use of `postMessage` with wildcard origin (`'*'`) and weak origin validation using `startsWith`. +**Learning:** OAuth redirect handlers often use `window.opener.postMessage` to send authorization codes back to the main application window. Using `'*'` allows any site that can open or reference the redirect window to intercept these codes. Furthermore, using `startsWith` for origin validation is bypassable (e.g., `https://trusted.com.attacker.com` starts with `https://trusted.com`). +**Prevention:** Always use a specific target origin in `postMessage` calls. For origin validation in message listeners, use strict equality with a derived origin from a trusted URL (e.g., `new URL(trustedUrl).origin === event.origin`). Always add safety checks for URL parsing. From 6ee22e6c6687fa94c9f97d3c6129f9f6b7b80de4 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sat, 7 Mar 2026 09:02:18 +0000 Subject: [PATCH 4/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]?= =?UTF-8?q?=20Harden=20OAuth=20postMessage=20security=20and=20add=20securi?= =?UTF-8?q?ty=20journal?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restrict target origin for postMessage in OAuth redirect handlers. - Replace insecure `startsWith` origin validation with strict equality. - Add safety checks for URL parsing. - Add sentinel security journal entry. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com>