Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DartPad hijacking #2994

Open
NDevTK opened this issue Jun 12, 2024 · 5 comments
Open

DartPad hijacking #2994

NDevTK opened this issue Jun 12, 2024 · 5 comments
Labels
area-preview-ui P1 A high priority bug; for example, a single project is unusable or has many test failures type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)

Comments

@NDevTK
Copy link
Contributor

NDevTK commented Jun 12, 2024

What happened?

Attacker code is injected on to the docs.flutter.dev dart-pad embed.

Steps to reproduce problem

const w = open('https://docs.flutter.dev/cookbook/effects/staggered-menu-animation#interactive-example');
setTimeout(() => {
 w[0].postMessage({sourceCode: ':)', type: 'sourceCode'}, '*')
}, 1000)

Additional info

I did think about making a PR in #2993 but made a mess instead.
Think the fix is to Only allow DartPad injection from window.parent for both code and error logs.

@brainwo
Copy link

brainwo commented Jun 12, 2024

I don't quite follow this, how does one took advantage of this?

It looks like a harmless little fun thing for someone to edit the source code in their own client side via JavaScript.

@NDevTK
Copy link
Contributor Author

NDevTK commented Jun 12, 2024

The issue is that its not their own its https://docs.flutter.dev which is cross-site to the attackers page.

@brainwo
Copy link

brainwo commented Jun 12, 2024

Well, yeah, someone could make this happen when they write a blog that links to docs.flutter.dev.

But:

  • Popups are blocked by default in browsers. I don't know about the statistic, but it's unlikely for someone to allow popup on the site they don't trust.
  • Even when they do, changing code in Dartpad is harmless, I fail to see how this is any different than sharing https://dartpad.dev/?id=<ID_OF_HARMFUL_CODE>.

@NDevTK
Copy link
Contributor Author

NDevTK commented Jun 12, 2024

Popups are allowed by default in most browsers after user activation such as a click. (Avoids a website being able to spam the user with popups)

In its self maybe harmless hence public issue however its a spoofing risk if the user trusts content on docs.flutter.dev with an API key

@johnpryan johnpryan added area-preview-ui P1 A high priority bug; for example, a single project is unusable or has many test failures type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) labels Jun 18, 2024
@johnpryan
Copy link
Contributor

I think the solution here would be to restrict what code can be injected into the execution iframe, not the DartPad embedded iframe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-preview-ui P1 A high priority bug; for example, a single project is unusable or has many test failures type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)
Projects
None yet
Development

No branches or pull requests

3 participants