search

DuCanhGH / next-pwa

PWA for Next.js, powered by Workbox.
https://ducanh-next-pwa.vercel.app
MIT License
628 stars 27 forks source link

[Bug - next-pwa]: Security issue when analyze with sonarqube #164

Open gintoki05 opened 1 week ago

gintoki05 commented 1 week ago

Provide environment information

Next js 14 "@ducanh2912/next-pwa": "^10.2.9",

Link to reproduction - Issues with a link to complete (but minimal) reproduction code help us address them faster

sorry i dont understand this

To reproduce

Deploy with docker to gitlab and auto analyze with sonarqube

Describe the bug

i got an seccurty issue when deploy in gitlab and analyze with sonarqube

Verify the origin of the received message.

and this is why issue appear

Browsers allow message exchanges between Window objects of different origins.

Because any window can send or receive messages from another window, it is important to verify the sender’s/receiver’s identity:

When sending a message with the postMessage method, the identity’s receiver should be defined (the wildcard keyword (*) should not be used). When receiving a message with a message event, the sender’s identity should be verified using the origin and possibly source properties. Noncompliant Code Example When sending a message:

var iframe = document.getElementById("testiframe"); iframe.contentWindow.postMessage("secret", ""); // Noncompliant: is used When receiving a message:

window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property. console.log(event.data); }); Compliant Solution When sending a message:

var iframe = document.getElementById("testsecureiframe"); iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant When receiving a message:

window.addEventListener("message", function(event) {

if (event.origin !== "http://example.org") // Compliant return;

console.log(event.data) }); See OWASP Top 10 2021 Category A1 - Broken Access Control OWASP Top 10 2017 Category A2 - Broken Authentication developer.mozilla.org - postMessage API MITRE, CWE-345 - Insufficient Verification of Data Authenticity

Expected behavior

no security issue appear in sonarqube

Screenshots (if relevant)

No response

Additional information (if relevant)

No response

DuCanhGH commented 2 days ago

@gintoki05 not sure if this is related to next-pwa. Where does that code come from? Surely not Workbox, right? Also, those seem to be easy-to-fix errors—just do as it instructs you to.

gintoki05 commented 2 days ago

I think it from workbox, so i move to serwis now