From 93413cedbe27852583516be5713a25cb1a9e2a48 Mon Sep 17 00:00:00 2001 From: Waldemar Mazurek Date: Wed, 9 Oct 2024 10:08:04 +0200 Subject: [PATCH] Fixes client HTML5 Information Exposure (#3978) --- container/src/services/container.service.ts | 11 +- .../test/services/container.service.spec.ts | 162 +++++++++--------- 2 files changed, 89 insertions(+), 84 deletions(-) diff --git a/container/src/services/container.service.ts b/container/src/services/container.service.ts index 5ac67c92a2..ac67dbcc20 100644 --- a/container/src/services/container.service.ts +++ b/container/src/services/container.service.ts @@ -22,6 +22,7 @@ export class ContainerService { */ sendCustomMessageToIframe(iframeHandle: any, msg: any, msgName?: string) { const messageName = msgName || 'custom'; + if (iframeHandle.iframe.contentWindow) { const iframeUrl = new URL(iframeHandle.iframe.src); messageName === 'custom' @@ -42,22 +43,25 @@ export class ContainerService { */ dispatch(msg: string, targetCnt: HTMLElement, data: any, callback?: Function, callbackName?: string): void { const customEvent = new CustomEvent(msg, { detail: data }); + if (callback && GenericHelperFunctions.isFunction(callback) && callbackName) { (customEvent as any)[callbackName] = data => { callback(data); }; } + targetCnt.dispatchEvent(customEvent); } /** * Retrieves the target container based on the event source. - * + * * @param event The event object representing the source of the container. - @returns {Object| undefined} The target container object or undefined if not found. + * @returns {Object| undefined} The target container object or undefined if not found. */ getTargetContainer(event) { let cnt; + globalThis.__luigi_container_manager.container.forEach(element => { if (element.iframeHandle?.iframe && element.iframeHandle.iframe.contentWindow === event.source) { cnt = element; @@ -113,7 +117,7 @@ export class ContainerService { }, authData: targetCnt.authData || {} }, - '*' + target.origin ); break; case LuigiInternalMessageID.NAVIGATION_REQUEST: @@ -185,6 +189,7 @@ export class ContainerService { }; window.addEventListener('message', globalThis.__luigi_container_manager.messageListener); } + return globalThis.__luigi_container_manager; } diff --git a/container/test/services/container.service.spec.ts b/container/test/services/container.service.spec.ts index 92359dbf84..0b6f1740ef 100644 --- a/container/test/services/container.service.spec.ts +++ b/container/test/services/container.service.spec.ts @@ -5,18 +5,18 @@ import { ContainerService } from '../../src/services/container.service'; describe('getContainerManager messageListener', () => { let service: ContainerService; let gtcSpy; - let cw : any = {}; - let cm ; + let cw: any = {}; + let cm; let dispatchedEvent; service = new ContainerService(); - cm = service.getContainerManager(); + cm = service.getContainerManager(); beforeEach(() => { // only get context scenario relies on postMessage, so we need special case handling for it const testName = expect.getState().currentTestName; - if (testName === 'test get context message'){ - cw = { postMessage: () => {}} - } + if (testName === 'test get context message') { + cw = { postMessage: () => {} }; + } gtcSpy = jest.spyOn(service, 'getTargetContainer').mockImplementation(() => { return { @@ -32,26 +32,29 @@ describe('getContainerManager messageListener', () => { }); }); - afterEach(()=>{ + afterEach(() => { jest.resetAllMocks(); }); - it('test alert request', () => { + it('test alert request', () => { const event = { source: cw, data: { msg: LuigiInternalMessageID.ALERT_REQUEST, data: { - id: 'navRequest', + id: 'navRequest' } } }; cm.messageListener(event); expect(dispatchedEvent.type).toEqual(Events.ALERT_REQUEST); - expect(dispatchedEvent.detail).toEqual({data: {data: {id: "navRequest"}, msg: "luigi.ux.alert.show"}, source: {}}); - }); + expect(dispatchedEvent.detail).toEqual({ + data: { data: { id: 'navRequest' }, msg: 'luigi.ux.alert.show' }, + source: {} + }); + }); - it('test custom message', () => { + it('test custom message', () => { const event = { source: cw, data: { @@ -84,20 +87,21 @@ describe('getContainerManager messageListener', () => { const postMessageMock = jest.fn(); // Replace the real postMessage with the mock - cw.postMessage = postMessageMock; + cw.postMessage = postMessageMock; + cw.origin = '*'; // Define the message to send and target Origin const message = { - "authData":{}, - "context": {}, - "internal": { - "thirdPartyCookieCheck": { - "disabled": false + authData: {}, + context: {}, + internal: { + thirdPartyCookieCheck: { + disabled: false } }, - "msg": "luigi.init" + msg: 'luigi.init' }; - const targetOrigin = "*"; + const targetOrigin = '*'; // Call the method that should trigger postMessage cm.messageListener(event); @@ -106,10 +110,10 @@ describe('getContainerManager messageListener', () => { expect(postMessageMock).toHaveBeenCalledWith(message, targetOrigin); // Clean up by restoring the original postMessage function - cw.postMessage = () => {} + cw.postMessage = () => {}; + cw.origin = undefined; }); - it('test initialized request', () => { const event = { source: cw, @@ -134,7 +138,7 @@ describe('getContainerManager messageListener', () => { }; cm.messageListener(event); expect(dispatchedEvent.type).toEqual(Events.ADD_SEARCH_PARAMS_REQUEST); - expect(dispatchedEvent.detail).toEqual({data: 'some-data', keepBrowserHistory:true}); + expect(dispatchedEvent.detail).toEqual({ data: 'some-data', keepBrowserHistory: true }); }); it('test add node params request', () => { @@ -148,10 +152,9 @@ describe('getContainerManager messageListener', () => { }; cm.messageListener(event); expect(dispatchedEvent.type).toEqual(Events.ADD_NODE_PARAMS_REQUEST); - expect(dispatchedEvent.detail).toEqual({data: 'some-data', keepBrowserHistory:false}); + expect(dispatchedEvent.detail).toEqual({ data: 'some-data', keepBrowserHistory: false }); }); - it('test confirmationModal show request', () => { const event = { source: cw, @@ -344,34 +347,31 @@ describe('getContainerManager messageListener', () => { expect(dispatchedEvent.type).toEqual(Events.SET_DIRTY_STATUS_REQUEST); }); - it('test default', () => { const consoleWarnSpy = jest.spyOn(console, 'warn').mockImplementation(jest.fn()); const event = { source: cw, data: { - msg: 'no-func', + msg: 'no-func' } }; cm.messageListener(event); expect(consoleWarnSpy).not.toHaveBeenCalled(); }); - }); - describe('isVisible', () => { let service: ContainerService; service = new ContainerService(); - - afterEach(()=>{ + + afterEach(() => { jest.resetAllMocks(); }); it('should return true for a visible element', () => { // Arrange const visibleElement = document.createElement('div'); - jest.spyOn(visibleElement, 'offsetWidth', 'get').mockImplementation(() => 200) + jest.spyOn(visibleElement, 'offsetWidth', 'get').mockImplementation(() => 200); document.body.appendChild(visibleElement); // Act @@ -409,12 +409,11 @@ describe('isVisible', () => { }); }); - describe('sendCustomMessageToIframe', () => { let service: ContainerService; service = new ContainerService(); - - afterEach(()=>{ + + afterEach(() => { jest.resetAllMocks(); }); @@ -423,13 +422,13 @@ describe('sendCustomMessageToIframe', () => { const iframeHandle = { iframe: { contentWindow: { - postMessage: jest.fn(), + postMessage: jest.fn() }, - src: 'https://example.com', - }, + src: 'https://example.com' + } }; const message = { key: 'value' }; - + // Act service.sendCustomMessageToIframe(iframeHandle, message); @@ -445,13 +444,13 @@ describe('sendCustomMessageToIframe', () => { const iframeHandle = { iframe: { contentWindow: { - postMessage: jest.fn(), + postMessage: jest.fn() }, - src: 'https://example.com', - }, + src: 'https://example.com' + } }; const message = { key: 'value' }; - + // Act service.sendCustomMessageToIframe(iframeHandle, message, 'namedMessage'); @@ -465,10 +464,10 @@ describe('sendCustomMessageToIframe', () => { it('should log an error if contentWindow is not available', () => { // Arrange const iframeHandle = { - iframe: {}, + iframe: {} }; const message = { key: 'value' }; - + // Spy on console.error to capture the log message const consoleErrorSpy = jest.spyOn(console, 'error').mockImplementation(() => {}); @@ -486,8 +485,8 @@ describe('sendCustomMessageToIframe', () => { describe('dispatch', () => { let service: ContainerService; service = new ContainerService(); - - afterEach(()=>{ + + afterEach(() => { jest.resetAllMocks(); }); @@ -496,7 +495,7 @@ describe('dispatch', () => { const targetContainer = document.createElement('div'); const eventName = 'customEvent'; const eventData = { key: 'value' }; - targetContainer.dispatchEvent = jest.fn() + targetContainer.dispatchEvent = jest.fn(); // Act service.dispatch(eventName, targetContainer, eventData); @@ -511,29 +510,31 @@ describe('dispatch', () => { const targetContainer = document.createElement('div'); const eventName = 'customEvent'; const eventData = { key: 'value' }; - targetContainer.dispatchEvent = jest.fn() + targetContainer.dispatchEvent = jest.fn(); // Define a callback function - const callbackFunction = (data) => { + const callbackFunction = data => { // This function should not be called in this test }; // Act - service. dispatch(eventName, targetContainer, eventData, callbackFunction, 'onCallback'); - + service.dispatch(eventName, targetContainer, eventData, callbackFunction, 'onCallback'); + // Assert - globalThis.CustomEvent = jest.fn().mockImplementation((type, eventInit) => ({ isTrusted: false, onCallback: callbackFunction })); + globalThis.CustomEvent = jest + .fn() + .mockImplementation((type, eventInit) => ({ isTrusted: false, onCallback: callbackFunction })); - const dispatchedEventMock = {"isTrusted": false, "onCallback": expect.any(Function)}; - expect(targetContainer.dispatchEvent).toHaveBeenCalledWith( expect.objectContaining(dispatchedEventMock)); + const dispatchedEventMock = { isTrusted: false, onCallback: expect.any(Function) }; + expect(targetContainer.dispatchEvent).toHaveBeenCalledWith(expect.objectContaining(dispatchedEventMock)); }); }); describe('getTargetContainer', () => { let service: ContainerService; service = new ContainerService(); - - afterEach(()=>{ + + afterEach(() => { jest.resetAllMocks(); }); @@ -542,24 +543,24 @@ describe('getTargetContainer', () => { const mockContainer1 = { iframeHandle: { iframe: { - contentWindow: 'source1', - }, - }, + contentWindow: 'source1' + } + } }; const mockContainer2 = { iframeHandle: { iframe: { - contentWindow: 'source2', - }, - }, + contentWindow: 'source2' + } + } }; globalThis.__luigi_container_manager = { - container: [mockContainer1, mockContainer2], + container: [mockContainer1, mockContainer2] }; const mockEvent = { - source: 'source2', // Matched with mockContainer2 + source: 'source2' // Matched with mockContainer2 }; // Act @@ -574,24 +575,24 @@ describe('getTargetContainer', () => { const mockContainer1 = { iframeHandle: { iframe: { - contentWindow: 'source1', - }, - }, + contentWindow: 'source1' + } + } }; const mockContainer2 = { iframeHandle: { iframe: { - contentWindow: 'source2', - }, - }, + contentWindow: 'source2' + } + } }; globalThis.__luigi_container_manager = { - container: [mockContainer1, mockContainer2], + container: [mockContainer1, mockContainer2] }; const mockEvent = { - source: 'source3', // No matching container + source: 'source3' // No matching container }; // Act @@ -605,7 +606,7 @@ describe('getTargetContainer', () => { describe('getContainerManager branch', () => { let service: ContainerService; service = new ContainerService(); - + beforeEach(() => { globalThis.__luigi_container_manager = undefined; jest.resetAllMocks(); @@ -627,7 +628,7 @@ describe('getContainerManager branch', () => { it('should return the existing container manager if it has been initialized', () => { const existingManager = { container: ['existingData'], - messageListener: jest.fn(), + messageListener: jest.fn() }; globalThis.__luigi_container_manager = existingManager; @@ -644,14 +645,14 @@ describe('getContainerManager branch', () => { // Verify that addEventListener was called with 'message' event type expect(containerManager).toBeDefined(); expect(containerManager.container).toEqual([]); - expect(spy).toHaveBeenCalledWith('message', expect.any(Function)) + expect(spy).toHaveBeenCalledWith('message', expect.any(Function)); }); }); describe('registerContainer', () => { let service: ContainerService; service = new ContainerService(); - + beforeEach(() => { jest.resetAllMocks(); }); @@ -659,10 +660,10 @@ describe('registerContainer', () => { it('should add an HTMLElement to the container', () => { // Arrange const containerManager = { - container: [], + container: [] }; const container = document.createElement('div'); - service.getContainerManager = jest.fn().mockReturnValue(containerManager); + service.getContainerManager = jest.fn().mockReturnValue(containerManager); // Act service.registerContainer(container); @@ -670,6 +671,5 @@ describe('registerContainer', () => { // Assert expect(containerManager.container).toContain(container); expect(service.getContainerManager).toHaveBeenCalled(); - }); -}); \ No newline at end of file +});