security(tabapay): validate postMessage origin in WebView listener

The TabaPay WebView installed an unrestricted window message listener that
forwarded every postMessage payload to the Flutter messageHandler channel.
A cross-origin frame or page could spoof payment success callbacks and trigger
YAML-defined onSuccess actions with attacker-controlled token data.

Restrict forwarding to messages whose origin matches the configured iframe URL
and fail closed when the URL is not a valid http(s) origin. Add regression
tests for the generated listener script.

Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>

Author: cursoragent

modules/ensemble/lib/widget/fintech/tabapay_post_message.dart

@@ -0,0 +1,31 @@
+import 'dart:convert';
+
+/// Builds JavaScript that forwards `postMessage` payloads to the WebView
+/// [messageHandler] channel only when `event.origin` matches the origin of
+/// [pageUrl].
+///
+/// Returns `null` when [pageUrl] is not a valid absolute `http`/`https` URI so
+/// callers can fail closed instead of installing an unrestricted listener.
+String? buildTabaPayPostMessageListenerScript(String pageUrl) {
+  final uri = Uri.tryParse(pageUrl);
+  if (uri == null || !uri.hasScheme || !uri.hasAuthority) {
+    return null;
+  }
+  final scheme = uri.scheme.toLowerCase();
+  if (scheme != 'http' && scheme != 'https') {
+    return null;
+  }
+  final origin = uri.origin;
+  if (origin.isEmpty) {
+    return null;
+  }
+  final originLiteral = jsonEncode(origin);
+  return '''
+window.addEventListener("message", function(event) {
+  if (event.origin !== $originLiteral) {
+    return;
+  }
+  messageHandler.postMessage(event.data);
+});
+''';
+}

modules/ensemble/lib/widget/fintech/tabapayconnect.dart

@@ -10,6 +10,7 @@ import 'package:webview_flutter/webview_flutter.dart';
 import '../../framework/action.dart';
 import '../../screen_controller.dart';
 import '../../util/utils.dart';
+import 'tabapay_post_message.dart';
 
 class TabaPayConnectController extends WidgetController {
   String uri =
@@ -86,8 +87,11 @@ class TabaPayConnectState extends EWidgetState<TabaPayConnect> {
             onMessageReceived: _handleTabaPayMessage)
         ..setNavigationDelegate(
             NavigationDelegate(onPageFinished: (String url) {
-          _webViewController?.runJavaScript(
-              'window.addEventListener("message", (event) => messageHandler.postMessage(event.data))');
+          final listenerScript =
+              buildTabaPayPostMessageListenerScript(widget.controller.uri);
+          if (listenerScript != null) {
+            _webViewController?.runJavaScript(listenerScript);
+          }
         }));
       _webViewController?.loadRequest(Uri.parse(widget.controller.uri));
     }

modules/ensemble/test/tabapay_post_message_test.dart

@@ -0,0 +1,33 @@
+import 'package:ensemble/widget/fintech/tabapay_post_message.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+void main() {
+  group('buildTabaPayPostMessageListenerScript', () {
+    test('includes origin check for valid https iframe URL', () {
+      final script = buildTabaPayPostMessageListenerScript(
+        'https://iframe.tabapay.com/frame',
+      );
+      expect(script, isNotNull);
+      expect(script, contains('"https://iframe.tabapay.com"'));
+      expect(script, contains('event.origin !=='));
+      expect(script, contains('messageHandler.postMessage(event.data)'));
+    });
+
+    test('returns null for invalid or non-http(s) URLs', () {
+      expect(buildTabaPayPostMessageListenerScript(''), isNull);
+      expect(buildTabaPayPostMessageListenerScript('not-a-url'), isNull);
+      expect(
+        buildTabaPayPostMessageListenerScript('javascript:alert(1)'),
+        isNull,
+      );
+      expect(buildTabaPayPostMessageListenerScript('file:///etc/passwd'), isNull);
+    });
+
+    test('JSON-encodes origin literal for safe embedding in JavaScript', () {
+      final script = buildTabaPayPostMessageListenerScript(
+        'https://pay.example.com/frame',
+      );
+      expect(script, contains('"https://pay.example.com"'));
+    });
+  });
+}