fix(iframe-app): harden Frame Blade auth-token handling (CodeQL js/user-controlled-bypass)#9372
Open
rllyy97 wants to merge 2 commits into
Open
fix(iframe-app): harden Frame Blade auth-token handling (CodeQL js/user-controlled-bypass)#9372rllyy97 wants to merge 2 commits into
rllyy97 wants to merge 2 commits into
Conversation
…er-controlled-bypass) Code scanning alert #88 (CWE-807/CWE-290, js/user-controlled-bypass) flagged the authToken branch in useFrameBlade because a sensitive action (onAuthTokenReceived) was gated by a positive conditional driven by attacker-controllable postMessage data. Convert the handling to an early-return guard clause and validate the payload (non-empty string) before invoking the callback. The real security decision remains the trusted-origin check (evt.origin vs. the allow-list-validated trustedParentOrigin) performed earlier in the handler. The early-return guard is recognized by CodeQL's isEarlyAbortGuardNode exclusion, clearing the alert without weakening any control. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
🤖 AI PR Validation ReportPR Review ResultsThank you for your submission! Here's detailed feedback on your PR title and body compliance:✅ PR Title
✅ Commit Type
✅ Risk Level
✅ What & Why
✅ Impact of Change
✅ Test Plan
✅ Contributors
✅ Screenshots/Videos
Summary Table
This PR passes review for title/body compliance. The advised risk level remains
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the useFrameBlade hook’s handling of authToken postMessage events in the iframe app to address the CodeQL js/user-controlled-bypass alert by switching to an early-return guard and adding basic payload validation.
Changes:
- Refactors the
authTokenswitch branch to use an early-return guard clause (instead of a positive conditional). - Validates
msg.datais a non-empty string before invokingonAuthTokenReceived.
Contributor
📊 Coverage Check🎉 All changed files have adequate test coverage! |
Reword the authToken code comment to avoid implying the token hand-off is not gated on payload data. The block performs payload validation (non-empty string + handler present) as an early-return guard clause, after the origin/signature trust checks above. The guard-clause shape is also what CodeQL's ConditionalBypass query recognizes as a safe early-abort guard. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
❌ PR Validation ErrorAn error occurred while validating your PR. Please try again later or contact the maintainers. Error: API request failed with status 503 |
Contributor
❌ PR Validation ErrorAn error occurred while validating your PR. Please try again later or contact the maintainers. Error: API request failed with status 500 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Type
Risk Level
What & Why
Fixes code scanning alert #88 —
js/user-controlled-bypass(CWE-807 / CWE-290, "User-controlled bypass of security check", severity high).The alert flagged the
authTokenbranch ofuseFrameBlade(apps/iframe-app/src/lib/hooks/useFrameBlade.ts): a security-sensitive action (onAuthTokenReceived) was gated by a positive conditional (if (msg.data && onAuthTokenReceived)) whose truthiness depends on thepostMessagepayload (msg.data).The handling is rewritten as payload validation expressed as an early-return guard clause, running after the existing origin and signature trust checks:
What the guard actually does: it validates the payload — the token must be a non-empty string and a handler must be present — before the token is forwarded. This is still (appropriately) conditional on the payload; the change is the shape of the check (validate-then-return-early) rather than removing the payload dependency.
Why this resolves the alert: CodeQL's
ConditionalBypassquery excludes early-abort guard nodes (isEarlyAbortGuardNode) — anifwhose then-branchreturns/throws, with noelse, guarding an action outside theif. Expressing the payload check as a guard clause matches that exclusion, so CodeQL no longer reports it as a user-controlled bypass.Trust checks are unchanged: the actual trust decision still happens earlier in the handler — messages are only processed if
evt.originexactly matches the allow-list-validatedtrustedParentOrigin(validated inconfig-parser.tsagainstALLOWED_PORTAL_AUTHORITIES) and carry theFxFrameBladesignature. This PR adds payload validation on top of those checks; it does not alter them.Impact of Change
authTokenhandling inuseFrameBladeis now a guard clause; behavior is covered by existing unit tests.Test Plan
apps/iframe-appunit tests + Biome +tsc --noEmituseFrameBlade.test.ts— 11/11 passing (includes the auth-token case)useFrameBlade.chatHistory.test.ts— 5/5 passingtsc --noEmit: no new errors inuseFrameBlade.ts(pre-existing unrelated test-file errors remain)Contributors
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com
Screenshots/Videos
N/A — no visual changes.