From 48e7c04d6c44ce06c5173b431276f17688432551 Mon Sep 17 00:00:00 2001 From: Glen Chiacchieri Date: Fri, 25 Jun 2021 10:41:12 -0400 Subject: [PATCH] prevent DDOS, add security around window messaging --- ExtPay.dev.js | 14 ++++++++++++-- dist/ExtPay.common.js | 14 ++++++++++++-- dist/ExtPay.js | 14 ++++++++++++-- dist/ExtPay.module.js | 14 ++++++++++++-- package.json | 2 +- sample-extension/ExtPay.js | 14 ++++++++++++-- 6 files changed, 61 insertions(+), 11 deletions(-) diff --git a/ExtPay.dev.js b/ExtPay.dev.js index 90cfeb2..e429adf 100644 --- a/ExtPay.dev.js +++ b/ExtPay.dev.js @@ -9,8 +9,11 @@ import * as browser from 'webextension-polyfill'; // and pass it on to the background page to query if the user has paid. if (typeof window !== 'undefined') { window.addEventListener('message', (event) => { + if (event.origin !== 'http://localhost:3000') return; if (event.source != window) return; - browser.runtime.sendMessage(event.data) // event.data === 'fetch-user' + if (event.data === 'fetch-user') { + browser.runtime.sendMessage(event.data) + } }, false); } @@ -190,14 +193,21 @@ You can copy and paste this to your manifest.json file to fix this error: } + var polling = false; async function poll_user() { // keep trying to fetch user in case stripe webhook is late + if (polling) return; + polling = true; var user = await fetch_user() for (var i=0; i < 2*60; ++i) { - if (user.paidAt) return user; + if (user.paidAt) { + polling = false; + return user; + } await timeout(1000) user = await fetch_user() } + polling = false; } browser.runtime.onMessage.addListener(function(message, sender, send_response) { diff --git a/dist/ExtPay.common.js b/dist/ExtPay.common.js index 1c2e126..237afd8 100644 --- a/dist/ExtPay.common.js +++ b/dist/ExtPay.common.js @@ -9,8 +9,11 @@ var browser = require('webextension-polyfill'); // and pass it on to the background page to query if the user has paid. if (typeof window !== 'undefined') { window.addEventListener('message', (event) => { + if (event.origin !== 'https://extensionpay.com') return; if (event.source != window) return; - browser.runtime.sendMessage(event.data); // event.data === 'fetch-user' + if (event.data === 'fetch-user') { + browser.runtime.sendMessage(event.data); + } }, false); } @@ -190,14 +193,21 @@ You can copy and paste this to your manifest.json file to fix this error: } + var polling = false; async function poll_user() { // keep trying to fetch user in case stripe webhook is late + if (polling) return; + polling = true; var user = await fetch_user(); for (var i=0; i < 2*60; ++i) { - if (user.paidAt) return user; + if (user.paidAt) { + polling = false; + return user; + } await timeout(1000); user = await fetch_user(); } + polling = false; } browser.runtime.onMessage.addListener(function(message, sender, send_response) { diff --git a/dist/ExtPay.js b/dist/ExtPay.js index c1aa147..8dbd3c3 100644 --- a/dist/ExtPay.js +++ b/dist/ExtPay.js @@ -1238,8 +1238,11 @@ var ExtPay = (function () { // and pass it on to the background page to query if the user has paid. if (typeof window !== 'undefined') { window.addEventListener('message', (event) => { + if (event.origin !== 'https://extensionpay.com') return; if (event.source != window) return; - browserPolyfill.runtime.sendMessage(event.data); // event.data === 'fetch-user' + if (event.data === 'fetch-user') { + browserPolyfill.runtime.sendMessage(event.data); + } }, false); } @@ -1419,14 +1422,21 @@ You can copy and paste this to your manifest.json file to fix this error: } + var polling = false; async function poll_user() { // keep trying to fetch user in case stripe webhook is late + if (polling) return; + polling = true; var user = await fetch_user(); for (var i=0; i < 2*60; ++i) { - if (user.paidAt) return user; + if (user.paidAt) { + polling = false; + return user; + } await timeout(1000); user = await fetch_user(); } + polling = false; } browserPolyfill.runtime.onMessage.addListener(function(message, sender, send_response) { diff --git a/dist/ExtPay.module.js b/dist/ExtPay.module.js index a57d4e8..3398d05 100644 --- a/dist/ExtPay.module.js +++ b/dist/ExtPay.module.js @@ -7,8 +7,11 @@ import { management, runtime, storage, windows } from 'webextension-polyfill'; // and pass it on to the background page to query if the user has paid. if (typeof window !== 'undefined') { window.addEventListener('message', (event) => { + if (event.origin !== 'https://extensionpay.com') return; if (event.source != window) return; - runtime.sendMessage(event.data); // event.data === 'fetch-user' + if (event.data === 'fetch-user') { + runtime.sendMessage(event.data); + } }, false); } @@ -188,14 +191,21 @@ You can copy and paste this to your manifest.json file to fix this error: } + var polling = false; async function poll_user() { // keep trying to fetch user in case stripe webhook is late + if (polling) return; + polling = true; var user = await fetch_user(); for (var i=0; i < 2*60; ++i) { - if (user.paidAt) return user; + if (user.paidAt) { + polling = false; + return user; + } await timeout(1000); user = await fetch_user(); } + polling = false; } runtime.onMessage.addListener(function(message, sender, send_response) { diff --git a/package.json b/package.json index 2ad7ec9..b6b5a4b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "extpay", - "version": "2.2.1", + "version": "2.3.0", "description": "The JavaScript library for https://extensionpay.com - payments for browser extensions, no server needed.", "main": "./dist/ExtPay.common.js", "module": "./dist/ExtPay.module.js", diff --git a/sample-extension/ExtPay.js b/sample-extension/ExtPay.js index c1aa147..8dbd3c3 100644 --- a/sample-extension/ExtPay.js +++ b/sample-extension/ExtPay.js @@ -1238,8 +1238,11 @@ var ExtPay = (function () { // and pass it on to the background page to query if the user has paid. if (typeof window !== 'undefined') { window.addEventListener('message', (event) => { + if (event.origin !== 'https://extensionpay.com') return; if (event.source != window) return; - browserPolyfill.runtime.sendMessage(event.data); // event.data === 'fetch-user' + if (event.data === 'fetch-user') { + browserPolyfill.runtime.sendMessage(event.data); + } }, false); } @@ -1419,14 +1422,21 @@ You can copy and paste this to your manifest.json file to fix this error: } + var polling = false; async function poll_user() { // keep trying to fetch user in case stripe webhook is late + if (polling) return; + polling = true; var user = await fetch_user(); for (var i=0; i < 2*60; ++i) { - if (user.paidAt) return user; + if (user.paidAt) { + polling = false; + return user; + } await timeout(1000); user = await fetch_user(); } + polling = false; } browserPolyfill.runtime.onMessage.addListener(function(message, sender, send_response) {