From 46c64ebbe37336ef27f106c47b28eb6b8ef319a0 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:01:34 +0000 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]?= =?UTF-8?q?=20Fix=20insecure=20postMessage=20origin=20in=20OAuth=20redirec?= =?UTF-8?q?ts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restricted the target origin of `window.postMessage` in both server-side and client-side OAuth redirect handlers. Using a wildcard origin (`'*'`) is insecure as it allows sensitive authorization codes to be intercepted by malicious origins. - In `packages/server/api/src/app/app.ts`, the `/redirect` route now resolves the platform-specific frontend origin. - In `packages/react-ui/src/app/routes/redirect.tsx`, the `targetOrigin` is restricted to `window.location.origin`. - Updated `.jules/sentinel.md` with details of this vulnerability and prevention strategy. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ packages/react-ui/src/app/routes/redirect.tsx | 2 +- packages/server/api/src/app/app.ts | 5 ++++- 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000000..cf53f53450 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2025-05-15 - [HIGH] Insecure postMessage Origin in OAuth Redirects +**Vulnerability:** Use of wildcard origin (`'*'`) in `window.postMessage` calls within OAuth redirect handlers (both server-side generated HTML and client-side React routes). +**Learning:** Wildcard origins in `postMessage` allow any site that can open or iframe the redirect page to intercept sensitive information, such as OAuth authorization codes. In a multi-tenant environment (like Activepieces with custom domains), the expected origin must be resolved dynamically. +**Prevention:** Always restrict the `targetOrigin` to a trusted value. For client-side redirects, use `window.location.origin` if the communication is same-origin. For server-side generated redirects, use platform-aware URL resolvers (e.g., `domainHelper.getPublicUrl`) to determine the correct frontend origin. diff --git a/packages/react-ui/src/app/routes/redirect.tsx b/packages/react-ui/src/app/routes/redirect.tsx index 0d7ccb0ed7..74db8bfcd4 100644 --- a/packages/react-ui/src/app/routes/redirect.tsx +++ b/packages/react-ui/src/app/routes/redirect.tsx @@ -13,7 +13,7 @@ const RedirectPage: React.FC = React.memo(() => { { code: code, }, - '*', + window.location.origin, ); } }, [location.search]); diff --git a/packages/server/api/src/app/app.ts b/packages/server/api/src/app/app.ts index 671220419f..684c497ca5 100644 --- a/packages/server/api/src/app/app.ts +++ b/packages/server/api/src/app/app.ts @@ -250,12 +250,15 @@ export const setupApp = async (app: FastifyInstance): Promise = return reply.send('The code is missing in url') } else { + const platformId = await platformUtils.getPlatformIdForRequest(request) + const frontendUrl = await domainHelper.getPublicUrl({ platformId }) + const targetOrigin = new URL(frontendUrl).origin return reply .type('text/html') .send( ` Redirect succuesfully, this window should close now`, + )}' },'${targetOrigin}')} Redirect successfully, this window should close now`, ) } }, From a7f4aa0774d34e6f10bc2e9e7a0db6dcdf30612f Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:11:34 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Fix=20i?= =?UTF-8?q?nsecure=20postMessage=20origin=20in=20OAuth=20redirects?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR addresses a security vulnerability where `window.postMessage` was using a wildcard origin (`'*'`) or loose validation (`startsWith`), potentially leaking OAuth authorization codes to malicious origins. Key changes: - Restricted `targetOrigin` in server-side `/redirect` route to the platform's public frontend origin. - Restricted `targetOrigin` in client-side `RedirectPage` to `window.location.origin`. - Improved `postMessage` listener in `oauth2-utils.ts` to use strict origin equality and moved origin calculation for better performance/robustness. - Fixed a typo in the server response message. - Added missing import for `platformUtils` in `app.ts`. Closes #security-sentinel-01 (Sentinel security enhancement) Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> --- packages/react-ui/src/lib/oauth2-utils.ts | 3 ++- packages/server/api/src/app/app.ts | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/react-ui/src/lib/oauth2-utils.ts b/packages/react-ui/src/lib/oauth2-utils.ts index 7b9ca004e9..f427eae4b2 100644 --- a/packages/react-ui/src/lib/oauth2-utils.ts +++ b/packages/react-ui/src/lib/oauth2-utils.ts @@ -73,10 +73,11 @@ function constructUrl(params: OAuth2PopupParams, pckeChallenge: string) { function getCode(redirectUrl: string): Promise { return new Promise((resolve) => { + const expectedOrigin = redirectUrl ? new URL(redirectUrl).origin : null; window.addEventListener('message', function handler(event) { if ( redirectUrl && - redirectUrl.startsWith(event.origin) && + event.origin === expectedOrigin && event.data['code'] ) { resolve(decodeURIComponent(event.data.code)); diff --git a/packages/server/api/src/app/app.ts b/packages/server/api/src/app/app.ts index 684c497ca5..f0627db6c7 100644 --- a/packages/server/api/src/app/app.ts +++ b/packages/server/api/src/app/app.ts @@ -82,6 +82,7 @@ import { pieceMetadataServiceHooks } from './pieces/piece-metadata-service/hooks import { pieceSyncService } from './pieces/piece-sync-service' import { platformModule } from './platform/platform.module' import { platformService } from './platform/platform.service' +import { platformUtils } from './platform/platform.utils' import { projectHooks } from './project/project-hooks' import { projectModule } from './project/project-module' import { storeEntryModule } from './store-entry/store-entry.module' From 2e6528e46aadb5b971bc3c7cf25a6ab8f0c20f64 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:21:37 +0000 Subject: [PATCH 3/4] fix(security): restrict postMessage target origin in OAuth redirects Restricted the target origin of `window.postMessage` in both server-side and client-side OAuth redirect handlers. Using a wildcard origin (`'*'`) or loose validation (`startsWith`) is insecure as it allows sensitive authorization codes to be intercepted by malicious origins. - In `packages/server/api/src/app/app.ts`, the `/redirect` route now resolves the platform-specific frontend origin. - In `packages/react-ui/src/app/routes/redirect.tsx`, the `targetOrigin` is restricted to `window.location.origin`. - Improved `postMessage` listener in `oauth2-utils.ts` to use strict origin equality and moved origin calculation for better performance/robustness. - Fixed a typo in the server response message. - Added missing import for `platformUtils` in `app.ts`. Closes #1 Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> From 8013e62517e31a9fab1a3f310e5ddcfc0acfe225 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:25:11 +0000 Subject: [PATCH 4/4] fix(security): restrict postMessage target origin in OAuth redirects Restricted the target origin of `window.postMessage` in both server-side and client-side OAuth redirect handlers. Using a wildcard origin (`'*'`) or loose validation (`startsWith`) is insecure as it allows sensitive authorization codes to be intercepted by malicious origins. - In `packages/server/api/src/app/app.ts`, the `/redirect` route now resolves the platform-specific frontend origin. - In `packages/react-ui/src/app/routes/redirect.tsx`, the `targetOrigin` is restricted to `window.location.origin`. - Improved `postMessage` listener in `oauth2-utils.ts` to use strict origin equality and added error handling for URL parsing. - Fixed a typo in the server response message. - Added missing import for `platformUtils` in `app.ts`. Closes #1 Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> --- packages/react-ui/src/lib/oauth2-utils.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/packages/react-ui/src/lib/oauth2-utils.ts b/packages/react-ui/src/lib/oauth2-utils.ts index f427eae4b2..2a99daace2 100644 --- a/packages/react-ui/src/lib/oauth2-utils.ts +++ b/packages/react-ui/src/lib/oauth2-utils.ts @@ -73,10 +73,17 @@ function constructUrl(params: OAuth2PopupParams, pckeChallenge: string) { function getCode(redirectUrl: string): Promise { return new Promise((resolve) => { - const expectedOrigin = redirectUrl ? new URL(redirectUrl).origin : null; + let expectedOrigin: string | null = null; + try { + expectedOrigin = redirectUrl ? new URL(redirectUrl).origin : null; + } catch (e) { + console.error('Invalid redirectUrl', redirectUrl, e); + } + window.addEventListener('message', function handler(event) { if ( redirectUrl && + expectedOrigin && event.origin === expectedOrigin && event.data['code'] ) {