Re: [PR] Cordova-js: Event Listener Hijacking [cordova-js]

via GitHub Tue, 06 Aug 2024 11:18:52 -0700


threatpointer commented on code in PR #276:
URL: https://github.com/apache/cordova-js/pull/276#discussion_r1705942429



##########
src/cordova.js:
##########
@@ -43,6 +43,80 @@ var m_window_removeEventListener = 
window.removeEventListener;
 var documentEventHandlers = {};
 var windowEventHandlers = {};
 
+/**
+ * Mitigation for Event Listener Hijacking
+ */
+(function() {
+    var originalDocumentAddEventListener = document.addEventListener;
+    var originalWindowAddEventListener = window.addEventListener;
+    var documentEventHandlers = {};
+    var windowEventHandlers = {};
+
+    document.addEventListener = function (evt, handler, capture) {
+        var e = evt.toLowerCase();
+        if (typeof documentEventHandlers[e] !== 'undefined') {
+            if (typeof documentEventHandlers[e].subscribe === 'function') {
+                documentEventHandlers[e].subscribe(handler);
+            } else {
+                console.warn('No subscribe function defined for event:', e);
+            }
+        } else {
+            originalDocumentAddEventListener.call(document, evt, handler, 
capture);
+        }
+    };
+
+    window.addEventListener = function (evt, handler, capture) {
+        var e = evt.toLowerCase();
+        if (typeof windowEventHandlers[e] !== 'undefined') {
+            if (typeof windowEventHandlers[e].subscribe === 'function') {
+                windowEventHandlers[e].subscribe(handler);
+            } else {
+                console.warn('No subscribe function defined for event:', e);
+            }
+        } else {
+            originalWindowAddEventListener.call(window, evt, handler, capture);
+        }
+    };
+
+    // Securely define your event handlers
+    documentEventHandlers['click'] = {
+        subscribe: function(handler) {
+            var secureHandler = function(event) {
+                // Perform necessary checks or actions before invoking the 
handler
+                if (event && event.target) {
+                    var allowedElements = ['button', 'a', 'div'];
+                    if 
(allowedElements.includes(event.target.tagName.toLowerCase())) {

Review Comment:
   The aim is not to be excessively restrictive _(the tags are more of starting 
pont)_, but rather to define a set of permissible elements. The stance is 
framework offers secure-by-default configurations that can be adjusted 
according to the user's requirements as needed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Re: [PR] Cordova-js: Event Listener Hijacking [cordova-js]

Reply via email to