Skip to content

NIFI-16059: validate connector postMessage origin against the host or…#11379

Open
mcgilman wants to merge 1 commit into
apache:mainfrom
mcgilman:NIFI-16059
Open

NIFI-16059: validate connector postMessage origin against the host or…#11379
mcgilman wants to merge 1 commit into
apache:mainfrom
mcgilman:NIFI-16059

Conversation

@mcgilman

Copy link
Copy Markdown
Contributor

…igin instead of the entity-controlled configurationUrl (CWE-346)

Summary

NIFI-16059

Connector custom UIs are embedded in the application via an <iframe> and
communicate with the host through window.postMessage. The host's
ConnectorMessageHost derived the origin it trusted — for both inbound message
validation and the outbound targetOrigin — from the connector-provided
configurationUrl / detailsUrl. Because those URLs are controlled by the
connector entity, the entity could effectively attest to its own message
origin, which is an origin-validation weakness (CWE-346).

This change decouples the iframe src from the trusted origin. The host now
trusts only the application's own origin (document.location.origin), which is
valid because connector custom UIs are served by the same web server that serves
the application (the configurationUrl / detailsUrl are built from the
incoming request and contribute only the path, so the iframe is same-origin with
the parent).

Changes

  • ConnectorMessageHost
    • Removed the expectedOrigin option and the static extractOrigin() helper.
    • Trust only trustedOrigin (document.location.origin, via the DOCUMENT
      token), used for both inbound origin validation and the outbound
      targetOrigin. Messages whose event.origin does not match are dropped
      (fail-closed). The existing event.source (iframe contentWindow) and
      message namespace/type checks are unchanged.
  • connector-configure / connector-detail
    • No longer pass expectedOrigin to startListening(...).
    • The disconnected-node-acknowledgment is posted to trustedOrigin rather than
      an origin derived from the entity URL.

Verification

  • Added a regression test asserting that a message whose origin matches an
    attacker-controlled configurationUrl is dropped, and that a message from the
    application origin is accepted.
  • Added a direct test for the outbound disconnected-node-acknowledgment asserting
    it is posted with targetOrigin === window.location.origin and the expected
    message namespace/type.
  • nx test nifi (full suite) and nx lint nifi pass.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 21

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

…igin instead of the entity-controlled configurationUrl (CWE-346)
@rfellows rfellows added the ui Pull requests for work relating to the user interface label Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ui Pull requests for work relating to the user interface

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants