Skip to content

fix(web-pkg): [OCISDEV-777] validate postMessage origin in embed mode…#13844

Open
awabcodes wants to merge 1 commit into
masterfrom
fix/OCISDEV-777/mitigate-iframe-csrf
Open

fix(web-pkg): [OCISDEV-777] validate postMessage origin in embed mode…#13844
awabcodes wants to merge 1 commit into
masterfrom
fix/OCISDEV-777/mitigate-iframe-csrf

Conversation

@awabcodes
Copy link
Copy Markdown
Contributor

@awabcodes awabcodes commented Jun 5, 2026

… modals

Description

The embed mode modals (SaveAsModal, ExportAsPdfModal, FilePickerModal) registered global window message listeners and acted on incoming owncloud-embed:* messages without validating event.origin. Any page holding a reference to an authenticated ownCloud window (e.g. via window.open) could forge an owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel message and trigger an authenticated file write in the victim's space (CSRF).

Related Issue

Motivation and Context

How Has This Been Tested?

  • test environment: local oCIS, chrome browser
  • test case 1: manual - reproduced the report's PoC from a foreign origin via window.open + postMessage(payload, '*'); no file is created and the modal stays open (before the fix a file was written)
  • ...

Screenshots (if appropriate):

Open tasks:

  • ...

@awabcodes awabcodes requested review from LukasHirt and mzner June 5, 2026 07:30
@awabcodes awabcodes self-assigned this Jun 5, 2026
@awabcodes awabcodes added the Topic:Security Pull requests that address a security vulnerability label Jun 5, 2026
@kw-security
Copy link
Copy Markdown

kw-security commented Jun 5, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@awabcodes awabcodes requested a review from nikolasalim June 5, 2026 07:37
@awabcodes awabcodes force-pushed the fix/OCISDEV-777/mitigate-iframe-csrf branch from 63811a6 to 6a55d79 Compare June 5, 2026 07:43
mzner
mzner reviewed Jun 5, 2026
View reviewed changes
Comment thread changelog/unreleased/security-embed-mode-postmessage-origin-validation.md Outdated
@awabcodes awabcodes force-pushed the fix/OCISDEV-777/mitigate-iframe-csrf branch from 6a55d79 to 67d873c Compare June 5, 2026 08:39
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jun 5, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
7 Security Hotspots
48.2% Coverage on New Code (required ≥ 80%)
D Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LukasHirt LukasHirt LukasHirt approved these changes

@mzner mzner mzner approved these changes

@nikolasalim nikolasalim Awaiting requested review from nikolasalim

Assignees

@awabcodes awabcodes

Labels

Topic:Security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@awabcodes @kw-security @LukasHirt @mzner