feat: BX-2109

Author: janek26

src/core/messengers/initializeMessenger.ts

@@ -1,6 +1,8 @@
 import { ScriptType, detectScriptType } from '../utils/detectScriptType';
+import { isInternalOrigin } from '../utils/isInternalOrigin';
 
 import { bridgeMessenger } from './internal/bridge';
+import { CallbackOptions, Messenger } from './internal/createMessenger';
 import { extensionMessenger } from './internal/extension';
 import { tabMessenger } from './internal/tab';
 import { windowMessenger } from './internal/window';
@@ -19,6 +21,34 @@ type InitializeMessengerArgs = {
   connect: ScriptType;
 };
 
+/**
+ * Wraps a messenger to validate that all incoming messages originate from
+ * extension URLs. This prevents cross-origin message handler bypass attacks
+ * where malicious websites attempt to send messages to privileged handlers.
+ */
+function withOriginValidation(messenger: Messenger): Messenger {
+  return {
+    ...messenger,
+    reply<TPayload, TResponse>(
+      topic: string,
+      callback: (
+        payload: TPayload,
+        options: CallbackOptions,
+      ) => Promise<TResponse>,
+    ) {
+      return messenger.reply<TPayload, TResponse>(
+        topic,
+        async (payload, options) => {
+          if (!isInternalOrigin(options.sender, `messenger:${topic}`)) {
+            return { error: 'Invalid origin' } as TResponse;
+          }
+          return callback(payload, options);
+        },
+      );
+    },
+  };
+}
+
 export function initializeMessenger({ connect }: InitializeMessengerArgs) {
   const source = detectScriptType();
   const connections = [
@@ -31,5 +61,13 @@ export function initializeMessenger({ connect }: InitializeMessengerArgs) {
       `No messenger found for connection ${source} <-> ${connect}.`,
     );
 
-  return messengersForConnection[connection];
+  const messenger = messengersForConnection[connection];
+
+  // When background expects messages from popup, enforce origin validation
+  // to prevent cross-origin message handler bypass attacks
+  if (source === 'background' && connect === 'popup') {
+    return withOriginValidation(messenger);
+  }
+
+  return messenger;
 }

src/core/utils/isInternalOrigin.ts

@@ -0,0 +1,31 @@
+import { IMessageSender } from '@rainbow-me/provider';
+
+import { RainbowError, logger } from '~/logger';
+
+/**
+ * Validates that a message sender originates from within the extension.
+ * Used to prevent cross-origin message handler bypass attacks where
+ * malicious websites attempt to send messages to privileged handlers.
+ *
+ * @param sender - The message sender object containing URL and origin info
+ * @param source - Identifier for logging purposes (e.g., 'messenger:wallet_action')
+ * @returns true if the sender is from an internal extension URL
+ */
+export const isInternalOrigin = (
+  sender: IMessageSender | undefined,
+  source: string,
+): boolean => {
+  const extensionOrigin = chrome.runtime.getURL('');
+  const senderUrl = sender?.url;
+  const isInternal = senderUrl?.startsWith(extensionOrigin) ?? false;
+
+  if (!isInternal) {
+    logger.error(
+      new RainbowError(`${source}: message received from invalid origin`, {
+        cause: new Error(`Invalid origin: ${senderUrl ?? 'unknown'}`),
+      }),
+    );
+  }
+
+  return isInternal;
+};

src/entries/background/procedures/popup/index.ts

@@ -3,6 +3,7 @@ import { RPCHandler } from '@orpc/server/message-port';
 import * as Sentry from '@sentry/react';
 
 import { INTERNAL_BUILD, IS_TESTING } from '~/core/sentry';
+import { isInternalOrigin } from '~/core/utils/isInternalOrigin';
 import { RainbowError, logger } from '~/logger';
 
 import { POPUP_PORT_NAME } from './constants';
@@ -49,6 +50,14 @@ export function startPopupRouter() {
 
   chrome.runtime.onConnect.addListener((port) => {
     if (port.name === POPUP_PORT_NAME) {
+      // Defense-in-depth: validate that port connections originate from extension URLs.
+      // Port-based connections are inherently more secure than message-based,
+      // but explicit validation protects against future changes or compromised extensions.
+      if (!isInternalOrigin(port.sender, 'oRPC:startPopupRouter')) {
+        port.disconnect();
+        return;
+      }
+
       // Register port for disconnect tracking (expiry and immediate lock)
       registerPopupPort(port);