DartPad hijacking

[NDevTK]

What happened?

Attacker code is injected on to the docs.flutter.dev dart-pad embed.

Steps to reproduce problem

const w = open('https://docs.flutter.dev/cookbook/effects/staggered-menu-animation#interactive-example');
setTimeout(() => {
 w[0].postMessage({sourceCode: ':)', type: 'sourceCode'}, '*')
}, 1000)

Additional info

I did think about making a PR in https://github.com/dart-lang/dart-pad/pull/2993 but made a mess instead. Think the fix is to Only allow DartPad injection from window.parent for both code and error logs.

[brainwo]

I don't quite follow this, how does one took advantage of this?

It looks like a harmless little fun thing for someone to edit the source code in their own client side via JavaScript.

[NDevTK]

The issue is that its not their own its https://docs.flutter.dev which is cross-site to the attackers page.

[brainwo]

Well, yeah, someone could make this happen when they write a blog that links to docs.flutter.dev.

But:

• Popups are blocked by default in browsers. I don't know about the statistic, but it's unlikely for someone to allow popup on the site they don't trust.
• Even when they do, changing code in Dartpad is harmless, I fail to see how this is any different than sharing https://dartpad.dev/?id=<ID_OF_HARMFUL_CODE>.

[NDevTK]

Popups are allowed by default in most browsers after user activation such as a click. (Avoids a website being able to spam the user with popups)

In its self maybe harmless hence public issue however its a spoofing risk if the user trusts content on docs.flutter.dev with an API key

[johnpryan]

I think the solution here would be to restrict what code can be injected into the execution iframe, not the DartPad embedded iframe.