Merge pull request #1878 from dequelabs/fix-1754-poison-postmessage

fix(respondable): ignore messages from other applications
dequelabs · Nov 6, 2019 · b04b594 · b04b594
2 parents de9885d + c79277e
commit b04b594
Show file tree

Hide file tree

Showing 8 changed files with 126 additions and 13 deletions.
diff --git a/lib/core/utils/respondable.js b/lib/core/utils/respondable.js
@@ -86,6 +86,12 @@
 			_keepalive: keepalive
 		};
 
+		var axeRespondables = axe._cache.get('axeRespondables');
+		if (!axeRespondables) {
+			axeRespondables = {};
+			axe._cache.set('axeRespondables', axeRespondables);
+		}
+		axeRespondables[uuid] = true;
 		if (typeof callback === 'function') {
 			messages[uuid] = callback;
 		}
@@ -213,6 +219,18 @@
 
 				var uuid = data.uuid;
 
+				/**
+				 * NOTE: messages from other contexts (frames) in response
+				 * to a message should not contain a topic. We ignore these
+				 * messages to prevent rogue postMessage handlers reflecting
+				 * our messages.
+				 * @see https://github.com/dequelabs/axe-core/issues/1754
+				 */
+				var axeRespondables = axe._cache.get('axeRespondables') || {};
+				if (axeRespondables[uuid] && data.topic && e.source !== window) {
+					return;
+				}
+
 				var keepalive = data._keepalive;
 				var callback = messages[uuid];
 
@@ -230,7 +248,7 @@
 					try {
 						publish(e.source, data, keepalive);
 					} catch (err) {
-						post(e.source, data.topic, err, uuid, false);
+						post(e.source, null, err, uuid, false);
 					}
 				}
 			},

diff --git a/test/core/public/run.js b/test/core/public/run.js
@@ -534,4 +534,46 @@ describe('axe.run iframes', function() {
 		frame.src = '../mock/frames/test.html';
 		fixture.appendChild(frame);
 	});
+
+	it('ignores unexpected messages from non-axe iframes', function(done) {
+		var frame = document.createElement('iframe');
+
+		frame.addEventListener('load', function() {
+			var safetyTimeout = window.setTimeout(function() {
+				done('timeout');
+			}, 1000);
+
+			axe.run('#fixture', {}, function(err, result) {
+				assert.isNull(err);
+				assert.equal(result.violations.length, 1);
+				window.clearTimeout(safetyTimeout);
+				done();
+			});
+		});
+
+		frame.src = '../mock/frames/with-echo.html';
+		fixture.appendChild(frame);
+	});
+
+	it('ignores unexpected messages from axe iframes', function(done) {
+		var frame = document.createElement('iframe');
+
+		frame.addEventListener('load', function() {
+			var safetyTimeout = window.setTimeout(function() {
+				done('timeout');
+			}, 1000);
+			if (!axe._audit) {
+				throw new Error('no _audit');
+			}
+			axe.run('#fixture', {}, function(err, result) {
+				assert.isNull(err);
+				assert.equal(result.violations.length, 1);
+				window.clearTimeout(safetyTimeout);
+				done();
+			});
+		});
+
+		frame.src = '../mock/frames/with-echo-axe.html';
+		fixture.appendChild(frame);
+	});
 });
diff --git a/test/core/utils/respondable.js b/test/core/utils/respondable.js
@@ -118,7 +118,6 @@ describe('axe.utils.respondable', function() {
 		event.data = JSON.stringify({
 			_respondable: true,
 			_source: 'axeAPI.2.0.0',
-			topic: 'Death star',
 			message: 'Help us Obi-Wan',
 			uuid: mockUUID
 		});
@@ -140,7 +139,6 @@ describe('axe.utils.respondable', function() {
 		event.data = JSON.stringify({
 			_respondable: true,
 			_source: 'axeAPI.x.y.z',
-			topic: 'Death star',
 			message: 'Help us Obi-Wan',
 			uuid: mockUUID
 		});
@@ -164,7 +162,6 @@ describe('axe.utils.respondable', function() {
 		event.data = JSON.stringify({
 			_respondable: true,
 			_source: 'axeAPI.2.0.0',
-			topic: 'Death star',
 			message: 'Help us Obi-Wan',
 			uuid: mockUUID
 		});
@@ -189,7 +186,6 @@ describe('axe.utils.respondable', function() {
 		event.data = JSON.stringify({
 			_respondable: true,
 			_source: 'axeAPI.2.0.0',
-			topic: 'Death star',
 			message: 'Help us Obi-Wan',
 			uuid: mockUUID
 		});
@@ -210,7 +206,6 @@ describe('axe.utils.respondable', function() {
 		event.initEvent('message', true, true);
 		event.data = {
 			_respondable: true,
-			topic: 'batman',
 			uuid: mockUUID
 		};
 		event.source = window;
@@ -230,7 +225,6 @@ describe('axe.utils.respondable', function() {
 		event.data =
 			JSON.stringify({
 				_respondable: true,
-				topic: 'batman',
 				uuid: mockUUID
 			}) + 'joker tricks!';
 		event.source = window;
@@ -249,8 +243,7 @@ describe('axe.utils.respondable', function() {
 		event.initEvent('message', true, true);
 		event.data = '{ "_respondable": true, "topic": "batman" }';
 		event.data = JSON.stringify({
-			_respondable: true,
-			topic: 'batman'
+			_respondable: true
 		});
 		event.source = window;
 
@@ -269,7 +262,6 @@ describe('axe.utils.respondable', function() {
 		event.data = '{ "_respondable": true, "topic": "batman", "uuid": "12" }';
 		event.data = JSON.stringify({
 			_respondable: true,
-			topic: 'batman',
 			uuid: 'not-' + mockUUID
 		});
 		event.source = window;
@@ -288,7 +280,6 @@ describe('axe.utils.respondable', function() {
 		event.initEvent('message', true, true);
 		event.data = '{ "uuid": "48", "topic": "batman" }';
 		event.data = JSON.stringify({
-			topic: 'batman',
 			uuid: mockUUID
 		});
 		event.source = window;
@@ -308,7 +299,6 @@ describe('axe.utils.respondable', function() {
 		event.data = JSON.stringify({
 			_respondable: true,
 			_source: 'axeAPI.2.0.0',
-			topic: 'Death star',
 			error: {
 				name: 'ReferenceError',
 				message: 'The exhaust port is open!',
@@ -337,7 +327,6 @@ describe('axe.utils.respondable', function() {
 		event.data = JSON.stringify({
 			_respondable: true,
 			_source: 'axeAPI.2.0.0',
-			topic: 'Death star',
 			error: {
 				name: 'evil',
 				message: 'The exhaust port is open!',

diff --git a/test/mock/frames/responder.html b/test/mock/frames/responder.html
@@ -11,6 +11,7 @@
 				version: '2.0.0'
 			};
 		</script>
+		<script src="../../../tmp/core/base/cache.js"></script>
 		<script src="../../../lib/core/utils/respondable.js"></script>
 
 		<script>

diff --git a/test/mock/frames/results-timeout.html b/test/mock/frames/results-timeout.html
@@ -11,6 +11,7 @@
 				version: '2.0.0'
 			};
 		</script>
+		<script src="../../../tmp/core/base/cache.js"></script>
 		<script src="../../../lib/core/utils/respondable.js"></script>
 
 		<script>

diff --git a/test/mock/frames/throwing.html b/test/mock/frames/throwing.html
@@ -11,6 +11,7 @@
 				version: '2.0.0'
 			};
 		</script>
+		<script src="../../../tmp/core/base/cache.js"></script>
 		<script src="../../../lib/core/utils/respondable.js"></script>
 
 		<script>

diff --git a/test/mock/frames/with-echo-axe.html b/test/mock/frames/with-echo-axe.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>Echo frame with axe-core</title>
+		<meta charset="utf8" />
+		<script src="../../../axe.js"></script>
+		<script>
+			// sync this rule to the one in test/core/public/run.js
+			axe._load({
+				rules: [
+					{
+						id: 'html',
+						selector: '#target',
+						none: ['fred']
+					}
+				],
+				checks: [
+					{
+						id: 'fred',
+						evaluate: function() {
+							return true;
+						}
+					}
+				]
+			});
+		</script>
+	</head>
+	<body>
+		<h1>Frame with axe-core</h1>
+		<div id="target">Target in iframe</div>
+		<script>
+			window.addEventListener(
+				'message',
+				function(event) {
+					window.top.postMessage(event.data, '*');
+				},
+				false
+			);
+		</script>
+	</body>
+</html>
diff --git a/test/mock/frames/with-echo.html b/test/mock/frames/with-echo.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>Echo frame without axe-core</title>
+		<meta charset="utf8" />
+	</head>
+	<body>
+		<h1>Frame without axe-core</h1>
+		<div id="target">Target in iframe</div>
+		<script>
+			window.addEventListener(
+				'message',
+				function(event) {
+					window.top.postMessage(event.data, '*');
+				},
+				false
+			);
+		</script>
+	</body>
+</html>