From e2ea57fcf9d514998513a2a613fe95b28783bf5b Mon Sep 17 00:00:00 2001 From: Sam Atkins Date: Fri, 28 Jun 2024 15:45:25 +0100 Subject: [PATCH] tweak(phoenix): Only take auth params from config message Having the parent app send us arbitrary config values was a holdover from when phoenix was an embedded iframe and not a separate app. It led to a security issue previously. Let's only take the auth parameters since we can't get those otherwise, and they're safe to read. Everything else should be available in our own URL params. --- packages/phoenix/src/main_puter.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/phoenix/src/main_puter.js b/packages/phoenix/src/main_puter.js index 73d03085a..0411b5537 100644 --- a/packages/phoenix/src/main_puter.js +++ b/packages/phoenix/src/main_puter.js @@ -25,7 +25,10 @@ import { CreateEnvProvider } from './platform/puter/env.js'; import { CreateSystemProvider } from './platform/puter/system.js'; window.main_shell = async () => { - const config = {}; + const config = Object.fromEntries( + new URLSearchParams(window.location.search) + .entries() + ); let resolveConfigured = null; const configured_ = new Promise(rslv => { @@ -41,10 +44,9 @@ window.main_shell = async () => { terminal.on('message', message => { if (message.$ === 'config') { const configValues = { ...message }; - delete configValues.$; - for ( const k in configValues ) { - config[k] = configValues[k]; - } + // Only copy the config that we actually need + config['puter.auth.username'] = configValues['puter.auth.username']; + config['puter.auth.token'] = configValues['puter.auth.token']; resolveConfigured(); } });