From d75d84fbe40da90688d8748843e341e549d033d7 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 10 Mar 2026 07:56:37 +0000 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Secure?= =?UTF-8?q?=20OAuth2=20postMessage=20target=20origin=20and=20origin=20vali?= =?UTF-8?q?dation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restricted backend and frontend OAuth redirect `postMessage` target origins to the trusted application origin instead of using the wildcard `'*'`. - Hardened frontend origin validation for `postMessage` events by replacing insecure `startsWith` matching with strict equality checks using resolved origins. - Resolved missing `platformUtils` import in `packages/server/api/src/app/app.ts`. - Cleaned up environment noise by removing the auto-generated `pnpm-lock.yaml`. Security Impact: Prevents interception of sensitive authorization codes by malicious sites and mitigates domain-shadowing attacks. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> --- .jules/sentinel.md | 0 packages/react-ui/src/app/routes/redirect.tsx | 2 +- packages/react-ui/src/lib/oauth2-utils.ts | 3 ++- packages/server/api/src/app/app.ts | 6 +++++- 4 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/packages/react-ui/src/app/routes/redirect.tsx b/packages/react-ui/src/app/routes/redirect.tsx index 0d7ccb0ed7..74db8bfcd4 100644 --- a/packages/react-ui/src/app/routes/redirect.tsx +++ b/packages/react-ui/src/app/routes/redirect.tsx @@ -13,7 +13,7 @@ const RedirectPage: React.FC = React.memo(() => { { code: code, }, - '*', + window.location.origin, ); } }, [location.search]); diff --git a/packages/react-ui/src/lib/oauth2-utils.ts b/packages/react-ui/src/lib/oauth2-utils.ts index 7b9ca004e9..942ad7fa2f 100644 --- a/packages/react-ui/src/lib/oauth2-utils.ts +++ b/packages/react-ui/src/lib/oauth2-utils.ts @@ -74,9 +74,10 @@ function constructUrl(params: OAuth2PopupParams, pckeChallenge: string) { function getCode(redirectUrl: string): Promise { return new Promise((resolve) => { window.addEventListener('message', function handler(event) { + const expectedOrigin = new URL(redirectUrl).origin; if ( redirectUrl && - redirectUrl.startsWith(event.origin) && + event.origin === expectedOrigin && event.data['code'] ) { resolve(decodeURIComponent(event.data.code)); diff --git a/packages/server/api/src/app/app.ts b/packages/server/api/src/app/app.ts index 671220419f..eea2ff6e13 100644 --- a/packages/server/api/src/app/app.ts +++ b/packages/server/api/src/app/app.ts @@ -76,6 +76,7 @@ import { SystemJobName } from './helper/system-jobs/common' import { systemJobHandlers } from './helper/system-jobs/job-handlers' import { validateEnvPropsOnStartup } from './helper/system-validator' import { mcpModule } from './mcp/mcp-module' +import { platformUtils } from './platform/platform.utils' import { pieceModule } from './pieces/base-piece-module' import { communityPiecesModule } from './pieces/community-piece-module' import { pieceMetadataServiceHooks } from './pieces/piece-metadata-service/hooks' @@ -250,12 +251,15 @@ export const setupApp = async (app: FastifyInstance): Promise = return reply.send('The code is missing in url') } else { + const platformId = await platformUtils.getPlatformIdForRequest(request) + const frontendUrl = await domainHelper.getPublicUrl({ platformId }) + const targetOrigin = new URL(frontendUrl).origin return reply .type('text/html') .send( ` Redirect succuesfully, this window should close now`, + )}' }, '${targetOrigin}')} Redirect succuesfully, this window should close now`, ) } }, From 037b5ed761a5cfd62fa4565345229976e79d7b41 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 10 Mar 2026 08:04:28 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Secure?= =?UTF-8?q?=20OAuth2=20postMessage=20target=20origin=20and=20origin=20vali?= =?UTF-8?q?dation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restricted backend and frontend OAuth redirect `postMessage` target origins to the trusted application origin instead of using the wildcard `'*'`. - Hardened frontend origin validation for `postMessage` events by replacing insecure `startsWith` matching with strict equality checks using resolved origins. - Resolved missing `platformUtils` import in `packages/server/api/src/app/app.ts`. - Cleaned up environment noise by removing the auto-generated `pnpm-lock.yaml`. Security Impact: Prevents interception of sensitive authorization codes by malicious sites and mitigates domain-shadowing attacks. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> From 6c253460bdba4648257a3de4d2bd995d746a4e86 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 10 Mar 2026 08:07:22 +0000 Subject: [PATCH 3/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Secure?= =?UTF-8?q?=20OAuth2=20postMessage=20target=20origin=20and=20origin=20vali?= =?UTF-8?q?dation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restricted backend and frontend OAuth redirect `postMessage` target origins to the trusted application origin instead of using the wildcard `'*'`. - Hardened frontend origin validation for `postMessage` events by replacing insecure `startsWith` matching with strict equality checks using resolved origins. - Resolved missing `platformUtils` import in `packages/server/api/src/app/app.ts`. - Cleaned up environment noise by removing the auto-generated `pnpm-lock.yaml`. Security Impact: Prevents interception of sensitive authorization codes by malicious sites and mitigates domain-shadowing attacks. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> From 075d199acef505854cd8d422cdcf57b370f9f0ba Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 10 Mar 2026 08:10:30 +0000 Subject: [PATCH 4/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Secure?= =?UTF-8?q?=20OAuth2=20postMessage=20target=20origin=20and=20origin=20vali?= =?UTF-8?q?dation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restricted backend and frontend OAuth redirect `postMessage` target origins to the trusted application origin instead of using the wildcard `'*'`. - Hardened frontend origin validation for `postMessage` events by replacing insecure `startsWith` matching with strict equality checks using resolved origins. - Resolved missing `platformUtils` import in `packages/server/api/src/app/app.ts`. - Cleaned up environment noise by removing the auto-generated `pnpm-lock.yaml`. Security Impact: Prevents interception of sensitive authorization codes by malicious sites and mitigates domain-shadowing attacks. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com>