From 97e544be16cb61b9b28b9fe32ec7cd3bc30c9735 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 07:54:15 +0000 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]?= =?UTF-8?q?=20Fix=20insecure=20postMessage=20target=20origin=20and=20origi?= =?UTF-8?q?n=20verification?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restrict postMessage target origin in backend `/redirect` endpoint to the platform's public origin. - Use strict equality for origin verification in frontend OAuth2 utility. - Fix typo in redirect message. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> --- .jules/sentinel.md | 9 +++++++++ packages/react-ui/src/lib/oauth2-utils.ts | 3 ++- packages/server/api/src/app/app.ts | 6 +++++- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000000..8e327b4723 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,9 @@ +## 2025-05-14 - [Insecure postMessage Target Origin in OAuth Redirect] +**Vulnerability:** The OAuth `/redirect` endpoint used `window.postMessage` with a wildcard (`'*'`) target origin, allowing any origin to intercept the authorization code. +**Learning:** In a multi-platform environment like Activepieces, the correct target origin must be resolved dynamically using the platform context to ensure the code is only sent to the trusted frontend. +**Prevention:** Always use `platformUtils.getPlatformIdForRequest(request)` and `domainHelper.getPublicUrl({ platformId })` to resolve the specific origin for `postMessage`. + +## 2025-05-14 - [Improper Origin Verification in Frontend OAuth Utility] +**Vulnerability:** The frontend `getCode` function used `startsWith` to verify the origin of `postMessage` events, which could be bypassed (e.g., `https://trusted.com.malicious.com` starts with `https://trusted.com`). +**Learning:** `startsWith` is insufficient for origin verification. +**Prevention:** Always use strict equality (`===`) for origin comparison and extract the origin component correctly using `new URL(url).origin`. diff --git a/packages/react-ui/src/lib/oauth2-utils.ts b/packages/react-ui/src/lib/oauth2-utils.ts index 7b9ca004e9..f65ec9d5f8 100644 --- a/packages/react-ui/src/lib/oauth2-utils.ts +++ b/packages/react-ui/src/lib/oauth2-utils.ts @@ -72,11 +72,12 @@ function constructUrl(params: OAuth2PopupParams, pckeChallenge: string) { } function getCode(redirectUrl: string): Promise { + const expectedOrigin = new URL(redirectUrl).origin; return new Promise((resolve) => { window.addEventListener('message', function handler(event) { if ( redirectUrl && - redirectUrl.startsWith(event.origin) && + event.origin === expectedOrigin && event.data['code'] ) { resolve(decodeURIComponent(event.data.code)); diff --git a/packages/server/api/src/app/app.ts b/packages/server/api/src/app/app.ts index 671220419f..ed9f5918ae 100644 --- a/packages/server/api/src/app/app.ts +++ b/packages/server/api/src/app/app.ts @@ -82,6 +82,7 @@ import { pieceMetadataServiceHooks } from './pieces/piece-metadata-service/hooks import { pieceSyncService } from './pieces/piece-sync-service' import { platformModule } from './platform/platform.module' import { platformService } from './platform/platform.service' +import { platformUtils } from './platform/platform.utils' import { projectHooks } from './project/project-hooks' import { projectModule } from './project/project-module' import { storeEntryModule } from './store-entry/store-entry.module' @@ -250,12 +251,15 @@ export const setupApp = async (app: FastifyInstance): Promise = return reply.send('The code is missing in url') } else { + const platformId = await platformUtils.getPlatformIdForRequest(request) + const publicUrl = await domainHelper.getPublicUrl({ platformId }) + const targetOrigin = new URL(publicUrl).origin return reply .type('text/html') .send( ` Redirect succuesfully, this window should close now`, + )}' }, '${targetOrigin}')} Redirect successfully, this window should close now`, ) } }, From 2fb9d3a097237b1a15c3c5277fc5bb82bbedb11c Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 07:59:59 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]?= =?UTF-8?q?=20Fix=20insecure=20postMessage=20target=20origin=20and=20origi?= =?UTF-8?q?n=20verification?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restrict postMessage target origin in backend `/redirect` endpoint to the platform's public origin. - Use strict equality for origin verification in frontend OAuth2 utility. - Fix typo in redirect message. - Ensure correct import order for linting. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> From 8679613042f9f64d94327f63b9b85ac1a471256c Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 08:03:43 +0000 Subject: [PATCH 3/4] fix: secure postMessage target origin and origin verification - Restrict postMessage target origin in backend `/redirect` endpoint to the platform's public origin. - Use strict equality for origin verification in frontend OAuth2 utility. - Fix typo in redirect message. - Correct import order in `app.ts`. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> From a96ffee04f60bc7770ce34cdc61f71f97957c6a6 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 08:07:23 +0000 Subject: [PATCH 4/4] fix: secure postMessage target origin and origin verification - Restrict postMessage target origin in backend `/redirect` endpoint. - Use strict equality for origin verification in frontend OAuth utility. - Fix typo in redirect message and correct import order. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com>