Copilot security audit and enhancements

Author: noam-sc

package-lock.json

@@ -9,6 +9,7 @@ import { todayLocalDate } from './utils/date';
 import { checkPomodoro } from './functions/pomodoro';
 import { Messages } from './utils/messages';
 import { injectTabsRepositorySingleton } from './repository/inject-tabs-repository';
+import { isValidMessage, sanitizeBackupData } from './utils/security';
 
 logger.log('Start background script');
 let pomodoroTimer: number;
@@ -77,6 +78,12 @@ scheduleJobs();
 initTracker();
 
 Browser.runtime.onMessage.addListener(async message => {
+  // SECURITY FIX: Validate message structure to prevent malicious messages
+  if (!isValidMessage(message)) {
+    console.warn('Invalid message received:', message);
+    return;
+  }
+
   if (message == Messages.ClearAllData) {
     const storage = injectStorage();
     const repo = await injectTabsRepositorySingleton();
@@ -85,7 +92,9 @@ Browser.runtime.onMessage.addListener(async message => {
   }
   if (message.message == Messages.Restore) {
     const storage = injectStorage();
-    await storage.saveTabs(message.data);
+    // SECURITY FIX: Sanitize backup data before processing
+    const sanitizedData = sanitizeBackupData(message.data);
+    await storage.saveTabs(sanitizedData);
     const repo = await injectTabsRepositorySingleton();
     repo.initAsync();
   }

src/background.ts

@@ -45,6 +45,7 @@ import { injectStorage } from '../storage/inject-storage';
 import { StorageParams } from '../storage/storage-params';
 import { isDomainEquals } from '../utils/common';
 import { extractHostname } from '../utils/extract-hostname';
+import { sanitizeUserInput } from '../utils/security';
 
 const { t } = useI18n();
 
@@ -60,16 +61,19 @@ onMounted(async () => {
 });
 
 function addToWhiteList() {
+  // SECURITY FIX: Sanitize user input before processing
+  const sanitizedInput = sanitizeUserInput(newWebsiteForWhiteList.value || '');
+
   const existingItem = whiteList.value?.find(x =>
-    isDomainEquals(extractHostname(x), extractHostname(newWebsiteForWhiteList.value!)),
+    isDomainEquals(extractHostname(x), extractHostname(sanitizedInput)),
   );
   if (existingItem !== undefined) {
     notification.notify({
       title: 'You have already added this site',
       type: 'error',
     });
   } else {
-    const newWebsite = extractHostname(newWebsiteForWhiteList.value!);
+    const newWebsite = extractHostname(sanitizedInput);
     whiteList.value?.push(newWebsite);
     save(whiteList.value);
     newWebsiteForWhiteList.value = '';

src/components/WhiteList.vue

@@ -1,12 +1,30 @@
 import Browser from 'webextension-polyfill';
 import { Messages } from '../utils/messages';
+import { isValidBackupData, sanitizeBackupData } from '../utils/security';
 
 export async function useRestoreData(json: string) {
-  if (json != null && json != undefined && json != '') {
+  if (!json || typeof json !== 'string') {
+    throw new Error('Invalid backup data: empty or invalid input');
+  }
+
+  try {
+    // SECURITY FIX: Validate JSON structure before parsing to prevent code injection
     const data = JSON.parse(json);
+
+    // Validate the data structure
+    if (!isValidBackupData(data)) {
+      throw new Error('Invalid backup data structure');
+    }
+
+    // Sanitize the data to ensure safety
+    const sanitizedData = sanitizeBackupData(data);
+
     await Browser.runtime.sendMessage({
       message: Messages.Restore,
-      data: data,
+      data: sanitizedData,
     });
+  } catch (error) {
+    console.error('Invalid backup file:', error);
+    throw new Error('Invalid or corrupted backup file');
   }
 }

src/functions/useRestoreData.ts

@@ -30,8 +30,13 @@
     "default_popup": "src/popup.html",
     "default_title": "Web Activity Time Tracker"
   },
-  "web_accessible_resources": [{
-    "resources": ["assets/pomodoro-sounds/*.mp3"],
-    "matches": ["<all_urls>"]
-  }]
+  "web_accessible_resources": [
+    {
+      "resources": ["assets/pomodoro-sounds/*.mp3"],
+      "matches": ["<all_urls>"]
+    }
+  ],
+  "content_security_policy": {
+    "extension_pages": "script-src 'self'; object-src 'none'; base-uri 'none';"
+  }
 }

src/manifest.json

@@ -43,6 +43,8 @@ import { BLOCK_DEFERRAL_DEFAULT, StorageParams } from '../storage/storage-params
 import { convertLimitTimeToString } from '../utils/converter';
 import PromoClearYouTube from '../components/PromoClearYouTube.vue';
 import { canDefering, defering } from '../functions/deferList';
+import { isValidRedirectUrl } from '../utils/security';
+import Browser from 'webextension-polyfill';
 
 const { t } = useI18n();
 
@@ -81,7 +83,14 @@ async function deferring() {
     haveToShowDeffering.value
   ) {
     await defering(webSite.value, 5);
-    if (sourceUrl.value != '') window.location.replace(sourceUrl.value);
+
+    // SECURITY FIX: Validate URL before redirect to prevent open redirect attacks
+    if (sourceUrl.value && isValidRedirectUrl(sourceUrl.value)) {
+      window.location.replace(sourceUrl.value);
+    } else {
+      // Redirect to safe default page if URL is invalid or empty
+      window.location.replace(Browser.runtime.getURL('src/dashboard.html'));
+    }
   }
 }
 </script>

src/pages/Block.vue

@@ -1,3 +1,5 @@
+import { sanitizeFaviconUrl } from './security';
+
 export enum BlockParams {
   Domain = 'domain',
   URL = 'url',
@@ -20,7 +22,11 @@ export function getValueFromQuery(url: string) {
   const urlObj = new URL(url);
   const domain = urlObj.searchParams.get(BlockParams.Domain);
   const sourceUrl = urlObj.searchParams.get(BlockParams.URL);
-  const favicon = urlObj.searchParams.get(BlockParams.Favicon);
+  let favicon = urlObj.searchParams.get(BlockParams.Favicon);
+
+  // SECURITY FIX: Sanitize favicon URL to prevent XSS/SSRF attacks
+  favicon = sanitizeFaviconUrl(favicon);
+
   const limitTime = Number(urlObj.searchParams.get(BlockParams.LimitTime));
   const summaryCounter = Number(urlObj.searchParams.get(BlockParams.SummaryCounter));
 

src/utils/block-page.ts

@@ -0,0 +1,147 @@
+import { NO_FAVICON } from './consts';
+
+/**
+ * Security utilities for input validation and sanitization
+ */
+
+/**
+ * Validates if a URL is safe for redirection
+ * Only allows http/https protocols and optionally validates against whitelist
+ */
+export function isValidRedirectUrl(url: string): boolean {
+  if (!url || typeof url !== 'string') {
+    return false;
+  }
+
+  try {
+    const urlObj = new URL(url);
+
+    // Only allow http/https protocols to prevent javascript:, data:, etc.
+    if (!['http:', 'https:'].includes(urlObj.protocol)) {
+      return false;
+    }
+
+    // Check for dangerous schemes in the URL string (case-insensitive)
+    const lowerUrl = url.toLowerCase();
+    if (
+      lowerUrl.includes('javascript:') ||
+      lowerUrl.includes('data:') ||
+      lowerUrl.includes('vbscript:') ||
+      lowerUrl.includes('file:')
+    ) {
+      return false;
+    }
+
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Sanitizes and validates favicon URLs
+ * Returns NO_FAVICON constant for invalid URLs
+ */
+export function sanitizeFaviconUrl(favicon: string | null): string {
+  if (!favicon || typeof favicon !== 'string') {
+    return NO_FAVICON;
+  }
+
+  try {
+    const url = new URL(favicon);
+
+    // Only allow http/https protocols
+    if (!['http:', 'https:'].includes(url.protocol)) {
+      return NO_FAVICON;
+    }
+
+    // Check for dangerous schemes
+    const lowerUrl = favicon.toLowerCase();
+    if (
+      lowerUrl.includes('javascript:') ||
+      lowerUrl.includes('data:') ||
+      lowerUrl.includes('vbscript:')
+    ) {
+      return NO_FAVICON;
+    }
+
+    return favicon;
+  } catch {
+    // Invalid URL
+    return NO_FAVICON;
+  }
+}
+
+/**
+ * Sanitizes user input to prevent XSS and other injection attacks
+ */
+export function sanitizeUserInput(input: string): string {
+  if (typeof input !== 'string') {
+    return '';
+  }
+
+  // Remove dangerous characters and scripts
+  return input
+    .replace(/<script[^>]*>.*?<\/script>/gi, '') // Remove script tags
+    .replace(/javascript:/gi, '') // Remove javascript: protocol
+    .replace(/data:/gi, '') // Remove data: protocol
+    .replace(/vbscript:/gi, '') // Remove vbscript: protocol
+    .replace(/on\w+\s*=/gi, '') // Remove event handlers like onclick=
+    .replace(/<[^>]*>/g, '') // Remove all HTML tags
+    .trim()
+    .substring(0, 1000); // Limit length to prevent DoS
+}
+
+/**
+ * Validates backup data structure to prevent code injection
+ */
+export function isValidBackupData(data: any): boolean {
+  if (!Array.isArray(data)) {
+    return false;
+  }
+
+  return data.every(item => {
+    return (
+      typeof item === 'object' &&
+      item !== null &&
+      typeof item.url === 'string' &&
+      typeof item.summaryTime === 'number' &&
+      item.summaryTime >= 0
+    );
+  });
+}
+
+/**
+ * Sanitizes backup data to ensure safety
+ */
+export function sanitizeBackupData(data: any[]): any[] {
+  return data.map(item => ({
+    url: sanitizeUserInput(item.url || ''),
+    summaryTime: Math.max(0, Math.floor(Number(item.summaryTime) || 0)),
+    counter: Math.max(0, Math.floor(Number(item.counter) || 0)),
+    favicon: sanitizeFaviconUrl(item.favicon),
+    days: Array.isArray(item.days) ? item.days.map(sanitizeDayData) : [],
+  }));
+}
+
+/**
+ * Sanitizes day data within backup
+ */
+function sanitizeDayData(day: any): any {
+  return {
+    date: sanitizeUserInput(day.date || ''),
+    summary: Math.max(0, Math.floor(Number(day.summary) || 0)),
+    counter: Math.max(0, Math.floor(Number(day.counter) || 0)),
+  };
+}
+
+/**
+ * Validates that a message has the expected structure
+ */
+export function isValidMessage(message: any): boolean {
+  return (
+    message &&
+    (typeof message === 'string' ||
+      (typeof message === 'object' && (message.type || message.message)))
+  );
+}