fix(utils): improve robustness of frame messenger and string processing#5082
fix(utils): improve robustness of frame messenger and string processing#5082RinZ27 wants to merge 2 commits into
Conversation
I switched to Object.create(null) for the channel store and added explicit checks for restricted keys like __proto__ to ensure robust cross-frame communication.
- Escaped property names in process-message to prevent regex injection and logic errors. - Added vbscript: and file: to ignored URL schemes in getFriendlyUriEnd. - Hardened channelId validation in channel-store to avoid potential hijacking. - Improved crypto detection in uuid.js to support Node.js and Web Workers safely.
|
Thanks for the pr. Unfortunately I don't think any of the changes improve the robustness any further than #5062. If As for the Unless you've encountered problems that necessitated these changes I'm inclined to close the PR as won't implement. |
|
Appreciate the feedback. These changes are intended to address specific security and environment-related edge cases:
I believe these harden the utility functions for broader use cases and prevent subtle bugs in non-DOM or high-risk environments. |
Strengthening the robustness of internal utilities ensures better stability across different environments. While reviewing the core library, I noticed several areas where string processing and frame communication could be more resilient against unexpected input.
Addressing potential logic errors in
process-message.js, this update introduces proper regex escaping for property names. I encountered a case where special characters in metadata could interfere with the template substitution, so centralizing the escaping logic was a priority.Updating the frame messenger's
channel-store.jsadds a necessary layer of validation forchannelId. Ensuring only string identifiers are processed helps maintain the integrity of communication channels between frames. Additionally, I modifieduuid.jsto safely detect thecryptoAPI, preventing crashes in environments wherewindowis unavailable, such as Node.js or Web Workers.Refining
get-friendly-uri-end.jsextends the ignored schemes to includevbscript:andfile:. These changes collectively improve the engine's correctness when handling diverse URI formats in a security-conscious manner.Validation of these fixes was performed locally to confirm that the existing test suite remains stable and the reported edge cases are now correctly handled.