Address review: restrict @HostListener handler to window/document message targets

Drop the plain 'message' event name from the @HostListener matcher. The postMessage 'message' event is dispatched on window and does not bubble, so an element-level @HostListener('message') does not receive cross-window messages. Keeping only 'window:message' and 'document:message' makes the model more precise and matches the accompanying comment and change note. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-26 23:27:06 +02:00 · 2026-06-22 21:35:21 -04:00
parent 9bffcf81b5
commit d1d9df7729
1 changed files with 2 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
@@ -197,13 +197,13 @@ class PostMessageEventHandler extends Function {
    )
    or
    // Angular's `@HostListener('window:message', ['$event'])` decorator registers
-    // a method as a `message` event handler on the global `window`/`document`
+    // a method as a `message` event handler on the global `window` or `document`
    // target.  The decorated method receives the `MessageEvent` as its first
    // parameter, so it is equivalent to `window.addEventListener('message', ...)`.
    exists(MethodDefinition method, DataFlow::CallNode decorator |
      decorator = DataFlow::moduleMember("@angular/core", "HostListener").getACall() and
      decorator = method.getADecorator().getExpression().flow() and
-      decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message", "message"]) and
+      decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message"]) and
      method.getBody() = this and
      paramIndex = 0
    )