security(tabapay): validate postMessage origin in WebView listener

The TabaPay widget forwarded every window.postMessage payload to the
native success handler without checking event.origin. A cross-origin
frame or opener could spoof a pipe-delimited success payload and trigger
onSuccess with attacker-controlled card token data.

Install the listener only for valid http(s) page URLs and require
event.origin to match the loaded page origin. Skip listener injection
when the URI is invalid.

Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>

Author: cursoragent

modules/ensemble/lib/widget/fintech/tabapay_post_message.dart

@@ -0,0 +1,31 @@
+import 'dart:convert';
+
+/// Builds JavaScript that forwards `postMessage` payloads to the WebView
+/// [messageHandler] channel only when `event.origin` matches the origin of
+/// [pageUrl].
+///
+/// Returns `null` when [pageUrl] is not a valid absolute `http`/`https` URI so
+/// callers can fail closed instead of installing an unrestricted listener.
+String? buildTabaPayPostMessageListenerScript(String pageUrl) {
+  final uri = Uri.tryParse(pageUrl);
+  if (uri == null || !uri.hasScheme || !uri.hasAuthority) {
+    return null;
+  }
+  final scheme = uri.scheme.toLowerCase();
+  if (scheme != 'http' && scheme != 'https') {
+    return null;
+  }
+  final origin = uri.origin;
+  if (origin.isEmpty) {
+    return null;
+  }
+  final originLiteral = jsonEncode(origin);
+  return '''
+window.addEventListener("message", function(event) {
+  if (event.origin !== $originLiteral) {
+    return;
+  }
+  messageHandler.postMessage(event.data);
+});
+''';
+}

modules/ensemble/lib/widget/fintech/tabapayconnect.dart

@@ -10,6 +10,7 @@ import 'package:webview_flutter/webview_flutter.dart';
 import '../../framework/action.dart';
 import '../../screen_controller.dart';
 import '../../util/utils.dart';
+import 'tabapay_post_message.dart';
 
 class TabaPayConnectController extends WidgetController {
   String uri =
@@ -86,8 +87,11 @@ class TabaPayConnectState extends EWidgetState<TabaPayConnect> {
             onMessageReceived: _handleTabaPayMessage)
         ..setNavigationDelegate(
             NavigationDelegate(onPageFinished: (String url) {
-          _webViewController?.runJavaScript(
-              'window.addEventListener("message", (event) => messageHandler.postMessage(event.data))');
+          final listenerScript =
+              buildTabaPayPostMessageListenerScript(widget.controller.uri);
+          if (listenerScript != null) {
+            _webViewController?.runJavaScript(listenerScript);
+          }
         }));
       _webViewController?.loadRequest(Uri.parse(widget.controller.uri));
     }

modules/ensemble/test/tabapay_post_message_test.dart

@@ -0,0 +1,33 @@
+import 'package:ensemble/widget/fintech/tabapay_post_message.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+void main() {
+  group('buildTabaPayPostMessageListenerScript', () {
+    test('includes origin check for valid https iframe URL', () {
+      final script = buildTabaPayPostMessageListenerScript(
+        'https://iframe.tabapay.com/frame',
+      );
+      expect(script, isNotNull);
+      expect(script, contains('"https://iframe.tabapay.com"'));
+      expect(script, contains('event.origin !=='));
+      expect(script, contains('messageHandler.postMessage(event.data)'));
+    });
+
+    test('returns null for invalid or non-http(s) URLs', () {
+      expect(buildTabaPayPostMessageListenerScript(''), isNull);
+      expect(buildTabaPayPostMessageListenerScript('not-a-url'), isNull);
+      expect(
+        buildTabaPayPostMessageListenerScript('javascript:alert(1)'),
+        isNull,
+      );
+      expect(buildTabaPayPostMessageListenerScript('file:///etc/passwd'), isNull);
+    });
+
+    test('JSON-encodes origin literal for safe embedding in JavaScript', () {
+      final script = buildTabaPayPostMessageListenerScript(
+        'https://pay.example.com/frame',
+      );
+      expect(script, contains('"https://pay.example.com"'));
+    });
+  });
+}