[PM-3574] Fix leak of login credentials to foreign origin due to race condition during autofill (#6700)

* [PM-3574] Fix leak of login credentials to foreign origin due to race condition during autofill * [PM-3574] Adding a temporary artificial delay to facilitate QA testing * [PM-3574] Adding a temporary artificial delay to facilitate QA testing * [PM-4590] Cached Page Details of Formless Input Fields Breaks Autofill * [PM-3574] Reworking implementation to take into account the page details url * [PM-3574] Fixing jest tests * [PM-3574] Fixing jest tests * [PM-3574] Removing 5 second delay on autofill
2 years ago · 8e047f615e
5 changed files with 38 additions and 8 deletions
--- a/apps/browser/src/autofill/content/abstractions/autofill-init.ts
+++ b/apps/browser/src/autofill/content/abstractions/autofill-init.ts
@ -5,6 +5,8 @@ type AutofillExtensionMessage = {
				@@ -5,6 +5,8 @@ type AutofillExtensionMessage = {
  tab?: chrome.tabs.Tab;
  sender?: string;
  fillScript?: AutofillScript;
+  url?: string;
+  pageDetailsUrl?: string;
 };

 type AutofillExtensionMessageHandlers = {
--- a/apps/browser/src/autofill/content/autofill-init.spec.ts
+++ b/apps/browser/src/autofill/content/autofill-init.spec.ts
@ -73,13 +73,36 @@ describe("AutofillInit", () => {
				@@ -73,13 +73,36 @@ describe("AutofillInit", () => {
  });

  describe("fillForm", () => {
-    it("will call the InsertAutofillContentService to fill the form", () => {
-      const fillScript = mock<AutofillScript>();
+    beforeEach(() => {
      jest
        .spyOn(bitwardenAutofillInit.insertAutofillContentService, "fillForm")
        .mockImplementation();
+    });
+
+    it("skips calling the InsertAutofillContentService and does not fill the form if the url to fill is not equal to the current tab url", () => {
+      const fillScript = mock<AutofillScript>();
+      const message = {
+        command: "fillForm",
+        fillScript,
+        pageDetailsUrl: "https://a-different-url.com",
+      };
+
+      bitwardenAutofillInit.fillForm(message);
+
+      expect(bitwardenAutofillInit.insertAutofillContentService.fillForm).not.toHaveBeenCalledWith(
+        fillScript
+      );
+    });
+
+    it("will call the InsertAutofillContentService to fill the form", () => {
+      const fillScript = mock<AutofillScript>();
+      const message = {
+        command: "fillForm",
+        fillScript,
+        pageDetailsUrl: window.location.href,
+      };

-      bitwardenAutofillInit.fillForm(fillScript);
+      bitwardenAutofillInit.fillForm(message);

      expect(bitwardenAutofillInit.insertAutofillContentService.fillForm).toHaveBeenCalledWith(
        fillScript
--- a/apps/browser/src/autofill/content/autofill-init.ts
+++ b/apps/browser/src/autofill/content/autofill-init.ts
@ -1,5 +1,4 @@
				@@ -1,5 +1,4 @@
 import AutofillPageDetails from "../models/autofill-page-details";
-import AutofillScript from "../models/autofill-script";
 import CollectAutofillContentService from "../services/collect-autofill-content.service";
 import DomElementVisibilityService from "../services/dom-element-visibility.service";
 import InsertAutofillContentService from "../services/insert-autofill-content.service";
@ -17,7 +16,7 @@ class AutofillInit implements AutofillInitInterface {
				@@ -17,7 +16,7 @@ class AutofillInit implements AutofillInitInterface {
  private readonly extensionMessageHandlers: AutofillExtensionMessageHandlers = {
    collectPageDetails: ({ message }) => this.collectPageDetails(message),
    collectPageDetailsImmediately: ({ message }) => this.collectPageDetails(message, true),
-    fillForm: ({ message }) => this.fillForm(message.fillScript),
+    fillForm: ({ message }) => this.fillForm(message),
  };

  /**
@ -76,10 +75,14 @@ class AutofillInit implements AutofillInitInterface {
				@@ -76,10 +75,14 @@ class AutofillInit implements AutofillInitInterface {

  /**
   * Fills the form with the given fill script.
-   * @param {AutofillScript} fillScript
-   * @private
+   *
+   * @param {AutofillExtensionMessage} message
   */
-  private fillForm(fillScript: AutofillScript) {
+  private fillForm({ fillScript, pageDetailsUrl }: AutofillExtensionMessage) {
+    if ((document.defaultView || window).location.href !== pageDetailsUrl) {
+      return;
+    }
+
    this.insertAutofillContentService.fillForm(fillScript);
  }

--- a/apps/browser/src/autofill/services/autofill.service.spec.ts
+++ b/apps/browser/src/autofill/services/autofill.service.spec.ts
@ -398,6 +398,7 @@ describe("AutofillService", () => {
				@@ -398,6 +398,7 @@ describe("AutofillService", () => {
            untrustedIframe: false,
          },
          url: currentAutofillPageDetails.tab.url,
+          pageDetailsUrl: "url",
        },
        {
          frameId: currentAutofillPageDetails.frameId,
--- a/apps/browser/src/autofill/services/autofill.service.ts
+++ b/apps/browser/src/autofill/services/autofill.service.ts
@ -208,6 +208,7 @@ export default class AutofillService implements AutofillServiceInterface {
				@@ -208,6 +208,7 @@ export default class AutofillService implements AutofillServiceInterface {
            command: "fillForm",
            fillScript: fillScript,
            url: tab.url,
+            pageDetailsUrl: pd.details.url,
          },
          { frameId: pd.frameId }
        );