Security impact of setimmediate.js

Summary

A customer reported that the main.<hash>.chunk.js file used in GitLab was being flagged by a security scanner for including the code window.postMessage(message, "*"). In this example, the origin is not being validated through the use of "*", which could be a security concern. It was determined that the code was added to main.<hash>.chunk.js by the setimmediate.js library, which uses postMessage to add tasks to the global event queue to allow for asynchronous execution.

This issue is to determine the following:

• Confirm dependencies which introduce setimmediate as a dependency
• The security impact of using the library, if any
• Define a solution if a security impact is determined.

Zendesk ticket (internal access only): https://gitlab.zendesk.com/agent/tickets/124038

Steps to reproduce

Download the latest main.<hash>.chunk.js from gitlab.com

What is the current bug behavior?

The following code is included, which passes a message to the global context.

function installPostMessageImplementation() {
        // Installs an event handler on `global` for the `message` event: see
        // * https://developer.mozilla.org/en/DOM/window.postMessage
        // * http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html#crossDocumentMessages

        var messagePrefix = "setImmediate$" + Math.random() + "$";
        var onGlobalMessage = function(event) {
            if (event.source === global &&
                typeof event.data === "string" &&
                event.data.indexOf(messagePrefix) === 0) {
                runIfPresent(+event.data.slice(messagePrefix.length));
            }
        };

        if (global.addEventListener) {
            global.addEventListener("message", onGlobalMessage, false);
        } else {
            global.attachEvent("onmessage", onGlobalMessage);
        }

        registerImmediate = function(handle) {
            global.postMessage(messagePrefix + handle, "*");
        };
    }

What is the expected correct behavior?

Determine if and how code can be removed. This will reduce customer impact if found in other scans.

Results of GitLab environment info

Reproducible on gitlab.com

Possible fixes

Remove setimmediate as a dependency in production.

gitlab/node_modules/setimmediate/

Dependency tree

`-- eslint-import-resolver-webpack@0.10.1
  `-- node-libs-browser@2.1.0
    `-- timers-browserify@2.0.10
      `-- setimmediate@1.0.5

node-libs-browser is also a dependency of webpack, which is a production dependency

`-- webpack@4.29.0
  `-- node-libs-browser@2.1.0

Webpack: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/package.json#L140