fix: validate postMessage origin in LiveControls to prevent XSS

[0xcucumbersalad]

Mirrors deco-cx/deco#1183. Adds a trusted-origin allowlist and message shape validation before dispatching editor::inject, which calls eval on attacker-controlled input.

---

Summary by cubic

Validates postMessage origin and data shape in LiveControls to block XSS via editor::inject. Adds a trusted-origin allowlist and guards so eval only runs for trusted, well-formed messages.

• Bug Fixes
  • Added TRUSTED_ORIGINS allowlist (includes same-origin and *.deco.cx).
  • Early return on untrusted origins.
  • Validate payload is an object with a string type before handling.

^{Written for commit ad09bed. Summary will update on new commits.}

Summary by CodeRabbit

• Bug Fixes
  • Improved security by adding validation checks for incoming messages, including origin verification against a trusted list and data type validation to prevent unauthorized or malformed requests from being processed.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds origin validation and runtime type-checking to the onMessage handler in the controls component. Incoming postMessage events are now validated against a trusted origins allowlist and checked for correct data shape before processing.

Changes

Message Origin & Data Validation

Layer / File(s)	Summary
Validation Constants & Helpers website/components/_Controls.tsx (lines 62-66)	TRUSTED_ORIGINS constant defines allowed origins (.deco.cx subdomains and current page origin). isTrustedOrigin(origin) helper function checks if an origin is in the allowlist.
Message Handler Guards website/components/_Controls.tsx (lines 67-87)	onMessage handler updated to early-return unless origin passes isTrustedOrigin() check and event.data is a non-null object with a string type property.
Existing Logic Path website/components/_Controls.tsx (lines 88-90)	editor::inject handling remains unchanged but now only executes after origin/data validation has passed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A whisker-twitch of security, so fine!
Origin checks and data shapes align,
No stranger's script shall slip on through,
Only trusted origins, tried and true.
The message handler stands its ground,
Safe and sound! 🛡️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description includes context about mirroring deco-cx/deco#1183 and auto-generated summary explaining the security fix, but lacks required template sections like Issue Link, Loom Video, and Demonstration Link.	Add the missing template sections: link to the relevant issue (#1183 or equivalent), consider adding a Loom video, and provide a link to test the changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and clearly describes the main security fix: validating postMessage origin in LiveControls to prevent XSS attacks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/xss-live-controls

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Tagging Options

Should a new tag be published when this PR is merged?

• 👍 for Patch 0.148.1 update
• 🎉 for Minor 0.149.0 update
• 🚀 for Major 1.0.0 update

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@website/components/_Controls.tsx`:
- Around line 82-90: The handler assumes data.args.script exists when data.type
=== "editor::inject"; add a strict shape check before calling eval: ensure
data.args is an object and that (data.args as { script?: unknown }).script is a
string (and non-empty if desired), then only call eval(data.args.script). Update
the switch case for "editor::inject" to validate data.args and data.args.script
and return early if validation fails to avoid malformed-message crashes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: df88efeb-dc19-48c6-bec6-a05ec7120c69

📥 Commits

Reviewing files that changed from the base of the PR and between 78ff04b and ad09bed.

📒 Files selected for processing (1)

• website/components/_Controls.tsx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Validate args.script before eval to avoid malformed-message crashes.

Line 90 assumes data.args.script exists, but current guards only validate data.type. Add a strict check for the editor::inject payload shape before evaluating.

Proposed fix

-    switch (data.type) {
-      case "editor::inject": {
-        return eval(data.args.script);
-      }
-    }
+    switch (data.type) {
+      case "editor::inject": {
+        if (
+          typeof (data as { args?: { script?: unknown } }).args?.script !== "string"
+        ) {
+          return;
+        }
+        return eval((data as { args: { script: string } }).args.script);
+      }
+    }

🧰 Tools

🪛 Biome (2.4.14)

[error] 90-90: eval() exposes to security risks and performance issues.

(lint/security/noGlobalEval)

🪛 OpenGrep (1.20.0)

[ERROR] 90-90: eval() with dynamic input can execute arbitrary code. Avoid dynamic code evaluation entirely, or use a safe alternative.

(coderabbit.code-injection.eval-js)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@website/components/_Controls.tsx` around lines 82 - 90, The handler assumes
data.args.script exists when data.type === "editor::inject"; add a strict shape
check before calling eval: ensure data.args is an object and that (data.args as
{ script?: unknown }).script is a string (and non-empty if desired), then only
call eval(data.args.script). Update the switch case for "editor::inject" to
validate data.args and data.args.script and return early if validation fails to
avoid malformed-message crashes.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="website/components/_Controls.tsx">

<violation number="1" location="website/components/_Controls.tsx:83">
P2: Validate `args.script` before dispatching `editor::inject`; the current shape check still allows malformed messages to reach `data.args.script` and throw.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Validate args.script before dispatching editor::inject; the current shape check still allows malformed messages to reach data.args.script and throw.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At website/components/_Controls.tsx, line 83:

<comment>Validate `args.script` before dispatching `editor::inject`; the current shape check still allows malformed messages to reach `data.args.script` and throw.</comment>

<file context>
@@ -59,8 +59,32 @@ const snippet = (live: Live) => {
+    }
     const { data } = event;
+    if (
+      typeof data !== "object" || data === null ||
+      typeof (data as { type?: unknown }).type !== "string"
+    ) {
</file context>

Suggested change

	typeof data !== "object" || data === null ||
	typeof (data as { type?: unknown }).type !== "string"
	) {
	typeof data !== "object" || data === null ||
	(data as { type?: unknown }).type !== "editor::inject" ||
	typeof (data as { args?: { script?: unknown } }).args?.script !== "string"