Security impact of setimmediate.js
Summary
A customer reported that the main.<hash>.chunk.js
file used in GitLab was being flagged by a security scanner for including the code window.postMessage(message, "*")
. In this example, the origin is not being validated through the use of "*", which could be a security concern. It was determined that the code was added to main.<hash>.chunk.js
by the setimmediate.js library, which uses postMessage
to add tasks to the global event queue to allow for asynchronous execution.
This issue is to determine the following:
-
Confirm dependencies which introduce setimmediate
as a dependency -
The security impact of using the library, if any -
Define a solution if a security impact is determined.
Zendesk ticket (internal access only): https://gitlab.zendesk.com/agent/tickets/124038
Steps to reproduce
Download the latest main.<hash>.chunk.js
from gitlab.com
What is the current bug behavior?
The following code is included, which passes a message to the global context.
function installPostMessageImplementation() {
// Installs an event handler on `global` for the `message` event: see
// * https://developer.mozilla.org/en/DOM/window.postMessage
// * http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html#crossDocumentMessages
var messagePrefix = "setImmediate$" + Math.random() + "$";
var onGlobalMessage = function(event) {
if (event.source === global &&
typeof event.data === "string" &&
event.data.indexOf(messagePrefix) === 0) {
runIfPresent(+event.data.slice(messagePrefix.length));
}
};
if (global.addEventListener) {
global.addEventListener("message", onGlobalMessage, false);
} else {
global.attachEvent("onmessage", onGlobalMessage);
}
registerImmediate = function(handle) {
global.postMessage(messagePrefix + handle, "*");
};
}
What is the expected correct behavior?
Determine if and how code can be removed. This will reduce customer impact if found in other scans.
Results of GitLab environment info
Reproducible on gitlab.com
Possible fixes
Remove setimmediate
as a dependency in production.
gitlab/node_modules/setimmediate/
Dependency tree
`-- eslint-import-resolver-webpack@0.10.1
`-- node-libs-browser@2.1.0
`-- timers-browserify@2.0.10
`-- setimmediate@1.0.5
node-libs-browser
is also a dependency of webpack
, which is a production dependency
`-- webpack@4.29.0
`-- node-libs-browser@2.1.0
Webpack: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/package.json#L140