mirror of
https://github.com/github/codeql.git
synced 2026-07-05 03:25:31 +02:00
Angular registers window message handlers via the
@HostListener('window:message', ['\']) decorator rather than
window.addEventListener('message', ...). The PostMessageEventHandler class
only modeled the addEventListener and window.onmessage forms, so the decorated
handler's event parameter was never treated as a message source. As a result,
js/missing-origin-check produced no alert and the event was not a client-side
remote flow source for downstream queries (e.g. client-side URL redirection).
Extend PostMessageEventHandler to also recognize methods decorated with
@HostListener for 'window:message', 'document:message', or 'message'.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
30 lines
977 B
TypeScript
30 lines
977 B
TypeScript
import { Component, HostListener } from '@angular/core';
|
|
|
|
@Component({ selector: 'app-root' })
|
|
class AngularComponent {
|
|
// Angular registers this as a `window` message handler via the decorator,
|
|
// equivalent to `window.addEventListener('message', ...)`.
|
|
@HostListener('window:message', ['$event'])
|
|
onWindowMessage(event: MessageEvent): void { // $ Alert - no origin check
|
|
eval(event.data);
|
|
}
|
|
|
|
@HostListener('document:message', ['$event'])
|
|
onDocumentMessage(event: MessageEvent): void { // $ Alert - no origin check
|
|
eval(event.data);
|
|
}
|
|
|
|
@HostListener('window:message', ['$event'])
|
|
onCheckedMessage(event: MessageEvent): void { // OK - has an origin check
|
|
if (event.origin === 'https://www.example.com') {
|
|
eval(event.data);
|
|
}
|
|
}
|
|
|
|
// Not a message event, so it is not a postMessage handler.
|
|
@HostListener('window:resize', ['$event'])
|
|
onResize(event: MessageEvent): void { // OK - not a message handler
|
|
eval(event.data);
|
|
}
|
|
}
|