Added new example of an unsafe event.origin verification

2025-12-20 10:46:30 +01:00 · 2020-06-10 23:07:05 +02:00
parent ab65ec40c0
commit 92f9f320f9
1 changed files with 14 additions and 0 deletions
--- a/javascript/ql/src/experimental/Security/CWE-020/examples/postMessageInsufficientCheck.js
+++ b/javascript/ql/src/experimental/Security/CWE-020/examples/postMessageInsufficientCheck.js
@@ -0,0 +1,14 @@
+function postMessageHandler(event) {
+    let origin = event.origin.toLowerCase();
+
+    let host = window.location.host;
+
+    // BAD
+    if (origin.indexOf(host) === -1)
+        return;
+
+
+    eval(event.data);
+}
+
+window.addEventListener('message', postMessageHandler, false);