Fix Parent Origin Regex (#237)

* Fix Parent Origin Regex

* Add another test case

* Handle more cases

src/ConfigContext.ts

@@ -31,10 +31,11 @@ interface ConfigContext {
 let configContext: Readonly<ConfigContext> = {
   platform: Platform.Portal,
   allowedParentFrameOrigins: [
-    `^https:\\/\\/cosmos.azure.(com|cn|us)$`,
+    `^https:\\/\\/cosmos\\.azure\\.(com|cn|us)$`,
-    `^https:\\/\\/[\\.\\w]+.portal.azure.(com|cn|us)$`,
+    `^https:\\/\\/[\\.\\w]*portal\\.azure\\.(com|cn|us)$`,
-    `^https:\\/\\/[\\.\\w]+.ext.azure.(com|cn|us)$`,
+    `^https:\\/\\/[\\.\\w]*ext\\.azure\\.(com|cn|us)$`,
-    `^https:\\/\\/[\\.\\w]+microsoftazure.de$`
+    `^https:\\/\\/[\\.\\w]*\\.ext\\.microsoftazure\\.de$`,
+    `^https://cosmos-db-dataexplorer-germanycentral.azurewebsites.de$`
   ],
   // Webpack injects this at build time
   gitSha: process.env.GIT_SHA,

src/Utils/MessageValidation.test.ts

@@ -1,21 +1,25 @@
 import { isInvalidParentFrameOrigin } from "./MessageValidation";
 
 test.each`
-  domain                                             | expected
+  domain                                                           | expected
-  ${"https://cosmos.azure.com"}                      | ${false}
+  ${"https://cosmos.azure.com"}                                    | ${false}
-  ${"https://cosmos.azure.us"}                       | ${false}
+  ${"https://cosmos.azure.us"}                                     | ${false}
-  ${"https://cosmos.azure.cn"}                       | ${false}
+  ${"https://cosmos.azure.cn"}                                     | ${false}
-  ${"https://cosmos.microsoftazure.de"}              | ${false}
+  ${"https://portal.azure.com"}                                    | ${false}
-  ${"https://subdomain.portal.azure.com"}            | ${false}
+  ${"https://portal.azure.us"}                                     | ${false}
-  ${"https://subdomain.portal.azure.us"}             | ${false}
+  ${"https://portal.azure.cn"}                                     | ${false}
-  ${"https://subdomain.portal.azure.cn"}             | ${false}
+  ${"https://subdomain.portal.azure.com"}                          | ${false}
-  ${"https://subdomain.microsoftazure.de"}           | ${false}
+  ${"https://subdomain.portal.azure.us"}                           | ${false}
-  ${"https://main.documentdb.ext.azure.com"}         | ${false}
+  ${"https://subdomain.portal.azure.cn"}                           | ${false}
-  ${"https://main.documentdb.ext.azure.us"}          | ${false}
+  ${"https://main.documentdb.ext.azure.com"}                       | ${false}
-  ${"https://main.documentdb.ext.azure.cn"}          | ${false}
+  ${"https://main.documentdb.ext.azure.us"}                        | ${false}
-  ${"https://main.documentdb.ext.microsoftazure.de"} | ${false}
+  ${"https://main.documentdb.ext.azure.cn"}                        | ${false}
-  ${"https://random.domain"}                         | ${true}
+  ${"https://main.documentdb.ext.microsoftazure.de"}               | ${false}
-  ${"https://malicious.cloudapp.azure.com"}          | ${true}
+  ${"https://random.domain"}                                       | ${true}
+  ${"https://malicious.cloudapp.azure.com"}                        | ${true}
+  ${"https://malicious.germanycentral.cloudapp.microsoftazure.de"} | ${true}
+  ${"https://maliciousazure.com"}                                  | ${true}
+  ${"https://maliciousportalsazure.com"}                           | ${true}
 `("returns $expected when called with $domain", ({ domain, expected }) => {
   expect(isInvalidParentFrameOrigin({ origin: domain } as MessageEvent)).toBe(expected);
 });

src/Utils/MessageValidation.ts

@@ -17,5 +17,6 @@ function isValidOrigin(allowedOrigins: string[], event: MessageEvent): boolean {
       return true;
     }
   }
+  console.error(`Invalid parent frame origin detected: ${eventOrigin}`);
   return false;
 }