Skip to content

fix(iframe-app): harden Frame Blade auth-token handling (CodeQL js/user-controlled-bypass)#9372

Open
rllyy97 wants to merge 2 commits into
mainfrom
rllyy97-fix-code-scanning-88
Open

fix(iframe-app): harden Frame Blade auth-token handling (CodeQL js/user-controlled-bypass)#9372
rllyy97 wants to merge 2 commits into
mainfrom
rllyy97-fix-code-scanning-88

Conversation

@rllyy97

@rllyy97 rllyy97 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Commit Type

  • feature - New functionality
  • fix - Bug fix
  • refactor - Code restructuring without behavior change
  • perf - Performance improvement
  • docs - Documentation update
  • test - Test-related changes
  • chore - Maintenance/tooling

Risk Level

  • Low - Minor changes, limited scope
  • Medium - Moderate changes, some user impact
  • High - Major changes, significant user/system impact

What & Why

Fixes code scanning alert #88js/user-controlled-bypass (CWE-807 / CWE-290, "User-controlled bypass of security check", severity high).

The alert flagged the authToken branch of useFrameBlade (apps/iframe-app/src/lib/hooks/useFrameBlade.ts): a security-sensitive action (onAuthTokenReceived) was gated by a positive conditional (if (msg.data && onAuthTokenReceived)) whose truthiness depends on the postMessage payload (msg.data).

The handling is rewritten as payload validation expressed as an early-return guard clause, running after the existing origin and signature trust checks:

case 'authToken': {
  if (!onAuthTokenReceived || typeof msg.data !== 'string' || msg.data.length === 0) {
    return;
  }
  onAuthTokenReceived(msg.data);
  break;
}

What the guard actually does: it validates the payload — the token must be a non-empty string and a handler must be present — before the token is forwarded. This is still (appropriately) conditional on the payload; the change is the shape of the check (validate-then-return-early) rather than removing the payload dependency.

Why this resolves the alert: CodeQL's ConditionalBypass query excludes early-abort guard nodes (isEarlyAbortGuardNode) — an if whose then-branch returns/throws, with no else, guarding an action outside the if. Expressing the payload check as a guard clause matches that exclusion, so CodeQL no longer reports it as a user-controlled bypass.

Trust checks are unchanged: the actual trust decision still happens earlier in the handler — messages are only processed if evt.origin exactly matches the allow-list-validated trustedParentOrigin (validated in config-parser.ts against ALLOWED_PORTAL_AUTHORITIES) and carry the FxFrameBlade signature. This PR adds payload validation on top of those checks; it does not alter them.

Impact of Change

  • Users: No user-facing change. Valid Azure Portal auth-token hand-off behaves identically; only malformed/empty payloads are now rejected up front.
  • Developers: authToken handling in useFrameBlade is now a guard clause; behavior is covered by existing unit tests.
  • System: Resolves one high-severity CodeQL alert. No new dependencies, no API or architecture changes.

Test Plan

  • Unit tests added/updated
  • E2E tests added/updated
  • Manual testing completed
  • Tested in: apps/iframe-app unit tests + Biome + tsc --noEmit
    • useFrameBlade.test.ts11/11 passing (includes the auth-token case)
    • useFrameBlade.chatHistory.test.ts5/5 passing
    • Biome check: clean
    • tsc --noEmit: no new errors in useFrameBlade.ts (pre-existing unrelated test-file errors remain)

Contributors

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Screenshots/Videos

N/A — no visual changes.

…er-controlled-bypass)

Code scanning alert #88 (CWE-807/CWE-290, js/user-controlled-bypass) flagged the
authToken branch in useFrameBlade because a sensitive action (onAuthTokenReceived)
was gated by a positive conditional driven by attacker-controllable postMessage data.

Convert the handling to an early-return guard clause and validate the payload
(non-empty string) before invoking the callback. The real security decision remains
the trusted-origin check (evt.origin vs. the allow-list-validated trustedParentOrigin)
performed earlier in the handler. The early-return guard is recognized by CodeQL's
isEarlyAbortGuardNode exclusion, clearing the alert without weakening any control.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 7, 2026 17:14
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: fix(iframe-app): harden Frame Blade auth-token handling (CodeQL js/user-controlled-bypass)
  • Issue: None — the title is specific, descriptive, and clearly communicates the scope and motivation.
  • Recommendation: No change needed.

Commit Type

  • Properly selected (fix).
  • Only one commit type is selected, which matches the change.

Risk Level

  • The selected risk level (Low) matches the size and impact of the code change. The diff is small and scoped to auth-token message handling.

What & Why

  • Current: Clear explanation of the CodeQL alert, the guard-clause refactor, and why the change is safe.
  • Issue: None — this is detailed enough and well aligned with the code change.
  • Recommendation: No change needed.

Impact of Change

  • The impact section is present and appropriately describes user, developer, and system effects.
  • Recommendation:
    • Users: Good as written.
    • Developers: Good as written.
    • System: Good as written.

Test Plan

  • The test plan passes. Although the checkbox for “Unit tests added/updated” is not checked, the PR body clearly explains that existing unit tests already cover the branch, and the diff itself is a small security-hardening refactor with no new test code required. Manual testing and local validation were also documented.
  • No correction required.

Contributors

  • Co-author attribution is present.
  • No issues found.

Screenshots/Videos

  • Marked appropriately as not applicable for a non-visual change.
  • No issues found.

Summary Table

Section Status Recommendation
Title No change needed
Commit Type No change needed
Risk Level No change needed
What & Why No change needed
Impact of Change No change needed
Test Plan No change needed
Contributors No change needed
Screenshots/Videos No change needed

This PR passes review for title/body compliance. The advised risk level remains low, matching the submitter's selection.


Last updated: Tue, 07 Jul 2026 17:43:18 GMT

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the useFrameBlade hook’s handling of authToken postMessage events in the iframe app to address the CodeQL js/user-controlled-bypass alert by switching to an early-return guard and adding basic payload validation.

Changes:

  • Refactors the authToken switch branch to use an early-return guard clause (instead of a positive conditional).
  • Validates msg.data is a non-empty string before invoking onAuthTokenReceived.

Comment thread apps/iframe-app/src/lib/hooks/useFrameBlade.ts Outdated
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📊 Coverage Check

🎉 All changed files have adequate test coverage!

@rllyy97 rllyy97 added the risk:low Low risk change with minimal impact label Jul 7, 2026
Reword the authToken code comment to avoid implying the token hand-off is
not gated on payload data. The block performs payload validation (non-empty
string + handler present) as an early-return guard clause, after the
origin/signature trust checks above. The guard-clause shape is also what
CodeQL's ConditionalBypass query recognizes as a safe early-abort guard.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

❌ PR Validation Error

An error occurred while validating your PR. Please try again later or contact the maintainers.

Error: API request failed with status 503

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

❌ PR Validation Error

An error occurred while validating your PR. Please try again later or contact the maintainers.

Error: API request failed with status 500

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr-validated risk:low Low risk change with minimal impact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants