Check sender ID in the Dart Debug Extension (#2289)

Author: elliette

dwds/debug_extension_mv3/web/background.dart

@@ -69,6 +69,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.isAuthenticated,
     expectedSender: Script.detector,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (String isAuthenticated) async {
       final dartTab = sender.tab;
       if (dartTab == null) {
@@ -89,6 +90,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.debugInfo,
     expectedSender: Script.detector,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (DebugInfo debugInfo) async {
       final dartTab = sender.tab;
       if (dartTab == null) {
@@ -118,6 +120,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.debugStateChange,
     expectedSender: Script.debuggerPanel,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (DebugStateChange debugStateChange) {
       final newState = debugStateChange.newState;
       final tabId = debugStateChange.tabId;
@@ -132,6 +135,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.debugStateChange,
     expectedSender: Script.popup,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (DebugStateChange debugStateChange) {
       final newState = debugStateChange.newState;
       final tabId = debugStateChange.tabId;
@@ -146,6 +150,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.multipleAppsDetected,
     expectedSender: Script.detector,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (String multipleAppsDetected) async {
       final dartTab = sender.tab;
       if (dartTab == null) {
@@ -167,6 +172,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.appId,
     expectedSender: Script.copier,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (String appId) {
       displayNotification('Copied app ID: $appId');
     },

dwds/debug_extension_mv3/web/chrome_api.dart

@@ -191,6 +191,8 @@ class Runtime {
 
   external String getURL(String path);
 
+  external String get id;
+
   // Note: Not checking the lastError when one occurs throws a runtime exception.
   external ChromeError? get lastError;
 
@@ -253,6 +255,7 @@ class MessageSender {
   external String? get id;
   external Tab? get tab;
   external String? get url;
+  external String? get origin;
   external factory MessageSender({String? id, String? url, Tab? tab});
 }
 

dwds/debug_extension_mv3/web/copier.dart

@@ -32,6 +32,7 @@ void _handleRuntimeMessages(
     expectedType: MessageType.appId,
     expectedSender: Script.background,
     expectedRecipient: Script.copier,
+    sender: sender,
     messageHandler: _copyAppId,
   );
 

dwds/debug_extension_mv3/web/messaging.dart

@@ -14,6 +14,7 @@ import 'package:js/js.dart';
 import 'chrome_api.dart';
 import 'data_serializers.dart';
 import 'logger.dart';
+import 'utils.dart';
 
 // A default response for the sendResponse callback.
 //
@@ -90,9 +91,12 @@ void interceptMessage<T>({
   required MessageType expectedType,
   required Script expectedSender,
   required Script expectedRecipient,
+  required MessageSender sender,
   required void Function(T message) messageHandler,
 }) {
   if (message == null) return;
+  if (!_isLegitimateSender(sender)) return;
+
   try {
     final decodedMessage = Message.fromJSON(message);
     if (decodedMessage.type != expectedType ||
@@ -188,3 +192,31 @@ Future<bool> _sendMessage({
   }
   return completer.future;
 }
+
+// Verify the message sender is our extension.
+bool _isLegitimateSender(MessageSender sender) {
+  // Check that the sender ID matches our extension ID:
+  if (sender.id != chrome.runtime.id) return false;
+
+  final senderUri = Uri.parse(sender.origin ?? '');
+  final senderHost = senderUri.host;
+  final isDartAppHost = senderHost == 'localhost' ||
+      senderHost == '127.0.0.1' ||
+      _isGoogleHost(senderHost);
+  final isExtensionOrigin =
+      senderHost == chrome.runtime.id && senderUri.scheme == 'chrome-extension';
+
+  if (isDartAppHost || isExtensionOrigin) return true;
+
+  // If the sender's host is unexpected, display an error.
+  displayNotification(
+    'Unexpected sender ${sender.origin}. Please file a bug at go/dde-bug or https://github.com/dart-lang/webdev',
+    isError: true,
+  );
+  return false;
+}
+
+bool _isGoogleHost(String host) {
+  const googleSuffices = ['.googlers.com', '.google.com', '.googleprod.com'];
+  return googleSuffices.any((suffix) => host.endsWith(suffix));
+}

dwds/debug_extension_mv3/web/panel.dart

@@ -89,6 +89,7 @@ void _handleRuntimeMessages(
     expectedType: MessageType.debugStateChange,
     expectedSender: Script.background,
     expectedRecipient: Script.debuggerPanel,
+    sender: sender,
     messageHandler: (DebugStateChange debugStateChange) async {
       if (debugStateChange.tabId != _tabId) {
         debugWarn(
@@ -107,6 +108,7 @@ void _handleRuntimeMessages(
     expectedType: MessageType.connectFailure,
     expectedSender: Script.background,
     expectedRecipient: Script.debuggerPanel,
+    sender: sender,
     messageHandler: (ConnectFailure connectFailure) async {
       debugLog(
         'Received connect failure for ${connectFailure.tabId} vs $_tabId',
@@ -185,7 +187,7 @@ Future<void> _maybeUpdateFileABugLink() async {
     if (bugLink == null) return;
     bugLink.setAttribute(
       'href',
-      'http://b/issues/new?component=775375&template=1791321',
+      'http://go/dde-bug',
     );
   }
 }