From 969a4ccdabe4664703b8ab03c254ac980cafc3b0 Mon Sep 17 00:00:00 2001 From: Duma Horatiu Date: Fri, 4 Nov 2022 14:04:35 +0200 Subject: [PATCH 1/2] Validated setAllowedOrigins and setIgnoredOrigins methods. Updated security docs. --- docs/security.md | 10 +++++++++- src/ShellSdk.ts | 31 ++++++++++++++++++++++++++++++- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/docs/security.md b/docs/security.md index 775c423..d2b0854 100644 --- a/docs/security.md +++ b/docs/security.md @@ -1,5 +1,8 @@ # Security +The Shell SDK manages browser window (MessageEvents)[https://developer.mozilla.org/en-US/docs/Web/API/Window/message_event]. By default, all events received from foreign origins (excluding the parent window) are **ignored**. +In order to accept messages from a specific origin, you must add it to the list of AllowedOrigins using one of the below methods. + ## Allowed origins only You can use the method `.setAllowedOrigins` to restrict message handling to a list of allowed origins. @@ -11,7 +14,12 @@ sdk.setAllowedOrigins(['https://example.com', 'https://example2.com']); To help debugging, an error will be displayed if an event come from an other origin. -You disable this settings, call `.setAllowedOrigins` with an empy parameter. +To disable this setting, call `.setAllowedOrigins("*")` to allow all origins. + +```javascript +sdk = ShellSdk.init(); +sdk.setAllowedOrigins('*'); +``` ### Allowed origins may be managed dynamically at runtime using following methods: diff --git a/src/ShellSdk.ts b/src/ShellSdk.ts index e76f9cc..30cc9d4 100644 --- a/src/ShellSdk.ts +++ b/src/ShellSdk.ts @@ -105,7 +105,17 @@ export class ShellSdk { } public setAllowedOrigins(allowedOrigins: string[] | '*' = []) { - this.allowedOrigins = allowedOrigins === '*' ? [] : allowedOrigins; + if (allowedOrigins === '*') { + this.allowedOrigins = []; + return; + } + + try { + this.validateOrigins(allowedOrigins); + } catch (e) { + console.error(e); + } + this.allowedOrigins = allowedOrigins; } public addAllowedOrigin(url: string) { @@ -146,6 +156,11 @@ export class ShellSdk { } public setIgnoredOrigins(ignoredOrigins: string[] = []) { + try { + this.validateOrigins(ignoredOrigins); + } catch (e) { + console.error(e); + } this.ignoredOrigins = ignoredOrigins; } @@ -174,6 +189,20 @@ export class ShellSdk { ); } + private validateOrigins(urls: string[]) { + for (const url of urls) { + let urlObj: URL; + try { + urlObj = new URL(url); + if (!urlObj.origin) { + throw new Error('Invalid origin'); + } + } catch { + throw new Error(`${url} is not a valid URL`); + } + } + } + public setValidator( validator: PayloadValidator, validationMode: ValidationMode = 'client' From 39290270fee0f2c3b7d09727eb9798b7b46814ee Mon Sep 17 00:00:00 2001 From: Duma Horatiu Date: Mon, 21 Nov 2022 15:13:58 +0200 Subject: [PATCH 2/2] Fixed MODAL.CLOSE and MODAL.OPEN docs --- docs/events.md | 43 +++++++++++++++++++------------------------ 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/docs/events.md b/docs/events.md index 5938f72..aa3187d 100644 --- a/docs/events.md +++ b/docs/events.md @@ -96,7 +96,7 @@ Request restricted token for using by an extension - ### GET_PERMISSIONS - With this event you can get permission objects. You can find the available permission object types in the FSM admin page in "User Groups -> select an item -> Permissions -> Object Type". [Here](https://help.sap.com/viewer/fsm_admin/Cloud/en-US/permissions-objects.html) you can also find more information about the permission objects. + With this event you can get permission objects. You can find the available permission object types in the FSM admin page in "User Groups -> select an item -> Permissions -> Object Type". [Here](https://help.sap.com/viewer/fsm_admin/Cloud/en-US/permissions-objects.html) you can also find more information about the permission objects. @@ -173,17 +173,16 @@ Request permissions for specified object from the shell - > Note: Below in the table you can see some common object types. -| objectName | Description | -|---|---| -| ACTIVITY | Permissions about the business data object "Activity" | +| objectName | Description | +| ----------- | -------------------------------------------------------- | +| ACTIVITY | Permissions about the business data object "Activity" | | SERVICECALL | Permissions about the business data object "ServiceCall" | - ### GET_SETTINGS - With this event you can get company specific settings. You can find the available settings in the FSM admin page in "Companies -> select a company -> Company Settings". Here you can create your own settings and fetch them with this event. You can also fetch the existing settings, but consider that many of them are more specific to FSM applications and have a internal mapping. Therefore, you can not fetch them with the key of the company settings from the admin page. In case you need some of these settings, then please contact us. [Here](https://help.sap.com/viewer/fsm_admin/Cloud/en-US/companies.html) you can find more information about companies. + With this event you can get company specific settings. You can find the available settings in the FSM admin page in "Companies -> select a company -> Company Settings". Here you can create your own settings and fetch them with this event. You can also fetch the existing settings, but consider that many of them are more specific to FSM applications and have a internal mapping. Therefore, you can not fetch them with the key of the company settings from the admin page. In case you need some of these settings, then please contact us. [Here](https://help.sap.com/viewer/fsm_admin/Cloud/en-US/companies.html) you can find more information about companies. ``` SHELL_EVENTS.Version1.GET_SETTINGS @@ -218,15 +217,14 @@ Request permissions for specified object from the shell > Note: Below in the table you can see some common keys. -| Key | value type | Description | -|---|---|---| -| userPerson | object | User specific information like name, mail and crowdType | -| CoreSystems.FSM.StandaloneCompany | boolean | [Here](https://help.sap.com/viewer/fsm_admin/Cloud/en-US/companies.html) you can find information about standalone companies | - +| Key | value type | Description | +| --------------------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------- | +| userPerson | object | User specific information like name, mail and crowdType | +| CoreSystems.FSM.StandaloneCompany | boolean | [Here](https://help.sap.com/viewer/fsm_admin/Cloud/en-US/companies.html) you can find information about standalone companies | - ### GET_STORAGE_ITEM -With this event you can get user specific settings. You can find the available settings in the FSM admin page in "Users -> select a user -> User Settings". [Here](https://help.sap.com/viewer/fsm_admin/Cloud/en-US/users.html) you can find more information about users. +With this event you can get user specific settings. You can find the available settings in the FSM admin page in "Users -> select a user -> User Settings". [Here](https://help.sap.com/viewer/fsm_admin/Cloud/en-US/users.html) you can find more information about users. @@ -287,11 +285,10 @@ Request value stored under specified key in cloud storage > Note: Below in the table you can see some common keys. -| Key | value type | Description | -|---|---|---| -| Cockpit_SelectedCompanyName | string | Name of the current selected company | -| Cockpit_SelectedLocale | string | Current selected locale | - +| Key | value type | Description | +| --------------------------- | ---------- | ------------------------------------ | +| Cockpit_SelectedCompanyName | string | Name of the current selected company | +| Cockpit_SelectedLocale | string | Current selected locale | - ### SET_STORAGE_ITEM @@ -401,7 +398,7 @@ Applciations can request do display a modal with a specified URL. Events include - ### MODAL.OPEN - Open a modal using `SHELL_EVENTS.Version1.MODAL.OPEN` event from your application. You can specify `modalSettings` like at title or size. + Open a modal using `SHELL_EVENTS.Version1.MODAL.OPEN` event from your application. You can specify `modalSettings` like a title or the modal size. Additionally, you can provide identification data using the `data` property, and you will receive it back on a subsequent `Version1.MODAL.CLOSE` event when the modal closes. ``` @@ -409,7 +406,7 @@ Applciations can request do display a modal with a specified URL. Events include url: 'https://example.com', modalSettings: { title: 'My title', - size: 'l'| 'm'|'s', + size: 'l'| 'm' | 's', }, data: { id: 'bc251c53-a71f-4924-bf3b-b265be96b71b' } // no schema, you can pass anything as 'data' }); @@ -420,16 +417,14 @@ Applciations can request do display a modal with a specified URL. Events include Request closing of the open modal using `SHELL_EVENTS.Version1.MODAL.CLOSE` from your application or the opened modal. An object can be passed as parameter to be send back to the application which opened the modal. ```typescript - this.sdk.emit(SHELL_EVENTS.Version1.MODAL.CLOSE, { - [key: string]: any - }); + this.sdk.emit(SHELL_EVENTS.Version1.MODAL.CLOSE); ``` An application can listen to the same event to trigger code on closing. This event is only received if the application emited the OPEN event. ```typescript - this.sdk.on(SHELL_EVENTS.Version1.MODAL.CLOSE, (content) => { - // React to the closing of the app + this.sdk.on(SHELL_EVENTS.Version1.MODAL.CLOSE, (data) => { + // React to the closing of the modal // If MODAL.OPEN was passed an argument, it will be provided here. }); ```