Commit: 2f26d91 · Finding: SEC-W-06
Problem
crates/web/src/main.rs:47-62 installs a navigator.serviceWorker.onmessage handler that blindly trusts ev.data, stashes it on window.__willowLastPush, and dispatches a willow-push Event. No ev.origin / ev.source / kind discriminator check. The reader at crates/web/src/app.rs:266-307 does type-check via Reflect::get, but window.__willowLastPush is a globally-readable side-effect any same-origin script (including dev tooling, browser extensions, future injected scripts) can read.
Since this is serviceWorker.message (only same-origin SW can emit), the risk is lower than window.onmessage, but the pattern is dangerous — any future copy-paste into a window-message handler inherits "trust everything".
Fix
- Verify
ev.data?.kind === 'willow-push' (or willow-notification-click) before accepting.
- Pass the payload via a module-local
RefCell / channel instead of window.__willowLastPush.
Obvious fix — will be auto-PR'd.
Commit:
2f26d91· Finding:SEC-W-06Problem
crates/web/src/main.rs:47-62installs anavigator.serviceWorker.onmessagehandler that blindly trustsev.data, stashes it onwindow.__willowLastPush, and dispatches awillow-pushEvent. Noev.origin/ev.source/kinddiscriminator check. The reader atcrates/web/src/app.rs:266-307does type-check viaReflect::get, butwindow.__willowLastPushis a globally-readable side-effect any same-origin script (including dev tooling, browser extensions, future injected scripts) can read.Since this is
serviceWorker.message(only same-origin SW can emit), the risk is lower thanwindow.onmessage, but the pattern is dangerous — any future copy-paste into a window-message handler inherits "trust everything".Fix
ev.data?.kind === 'willow-push'(orwillow-notification-click) before accepting.RefCell/ channel instead ofwindow.__willowLastPush.Obvious fix — will be auto-PR'd.