Merged PR 483438: JS SDK - embed URL validation

Following MSRC case as malicious site can be injected as the embed iframe src, added embed URL validation to ensure the host is an allowed PBI src.

A valid embed url protocol is "https:"

The valid hosts names are ([retrieved from EV2-deployment repository - all of ida_PowerBIFeUrl key values](https://dev.azure.com/powerbi/PowerBIClients/_search?action=contents&text=ida_PowerBIFeUrl path%3A*envParams*&type=code&lp=code-Project&filters=ProjectFilters{PowerBIClients}RepositoryFilters{PowerBIClients-EV2-Deployment}&pageSize=25&result=DefaultCollection/PowerBIClients/PowerBIClients-EV2-Deployment/GBmaster//WFE/AppService/ADM/Public/INT/envParams.txt)):

-  app.powerbi.com,
-  app.powerbi.cn,
-   app.powerbigov.us,
-  app.mil.powerbigov.us,
-  app.high.powerbigov.us,
-  app.powerbi.eaglex.ic.gov,
-  app.powerbi.microsoft.scloud,
-   powerbi-df.analysis-df.windows.net,
-   CST WFE URLs: 'https://{cst-name}.analysis.windows-int.net/'
-   daily.powerbi.com
-   dxt.powerbi.com
-   msit.powerbi.com

Embed URL validation should include fabric embed URL.

All of the above should be covered by the following regex expressions:

.+\.powerbi.com$
-   daily.powerbi.com
-   dxt.powerbi.com
-   msit.powerbi.com
-  app.powerbi.com

FF:  ^app(.mil.|.high.|.)powerbigov.us$
-   app.powerbigov.us,
-  app.mil.powerbigov.us,
-  app.high.powerbigov.us

Edog: .+\.analysis-df.windows.net$

Onebox and CSTs: .+\.analysis.windows-int.net$

Fabric URLs: .+\.fabric.microsoft.com$

**Please look into the test cases in utils.spec.ts to see the valid and invalid embe urls**

Related work items: #1245653

Author: May Hartov

dist/powerbi-client.d.ts

@@ -12,6 +12,7 @@ declare module "config" {
 declare module "errors" {
     export const APINotSupportedForRDLError = "This API is currently not supported for RDL reports";
     export const EmbedUrlNotSupported = "Embed URL is invalid for this scenario. Please use Power BI REST APIs to get the valid URL";
+    export const invalidEmbedUrlErrorMessage: string;
 }
 declare module "util" {
     import { HttpPostMessage } from 'http-post-message';
@@ -124,6 +125,11 @@ declare module "util" {
      * @returns {boolean}
      */
     export function isCreate(embedType: string): boolean;
+    /**
+     * Checks if the embedUrl has an allowed power BI domain
+     * @hidden
+     */
+    export function validateEmbedUrl(embedUrl: string): boolean;
 }
 declare module "embed" {
     import * as models from 'powerbi-models';
@@ -909,7 +915,7 @@ declare module "page" {
          * Get insights for report page
          *
          * ```javascript
-         * page.getSmartNarrativeInsights()
+         * page.getSmartNarrativeInsights();
          * ```
          *
          * @returns {Promise<ISmartNarratives>}

dist/powerbi.js

@@ -3,9 +3,9 @@
 
 import * as models from 'powerbi-models';
 import * as sdkConfig from './config';
-import { EmbedUrlNotSupported } from './errors';
+import { EmbedUrlNotSupported, invalidEmbedUrlErrorMessage } from './errors';
 import { ICustomEvent, IEvent, IEventHandler, Service } from './service';
-import { addParamToUrl, assign, autoAuthInEmbedUrl, createRandomString, getTimeDiffInMilliseconds, remove, isCreate } from './util';
+import { addParamToUrl, assign, autoAuthInEmbedUrl, createRandomString, getTimeDiffInMilliseconds, remove, isCreate, validateEmbedUrl } from './util';
 
 declare global {
   interface Document {
@@ -573,7 +573,7 @@ export abstract class Embed {
 
     const accessTokenProvider = eventHooks.accessTokenProvider;
     if (!!accessTokenProvider) {
-      if ((['create', 'quickcreate', 'report'].indexOf(this.embedtype.toLowerCase()) ===  -1) || this.config.tokenType !== models.TokenType.Aad) {
+      if ((['create', 'quickcreate', 'report'].indexOf(this.embedtype.toLowerCase()) === -1) || this.config.tokenType !== models.TokenType.Aad) {
         throw new Error("accessTokenProvider is only supported in report SaaS embed");
       }
     }
@@ -634,10 +634,6 @@ export abstract class Embed {
     // Trim spaces to fix user mistakes.
     hostname = hostname.toLowerCase().trim();
 
-    if (hostname.indexOf("http://") === 0) {
-      throw new Error("HTTP is not allowed. HTTPS is required");
-    }
-
     if (hostname.indexOf("https://") === 0) {
       return `${hostname}/${endpoint}`;
     }
@@ -745,6 +741,9 @@ export abstract class Embed {
     if (!this.iframe) {
       const iframeContent = document.createElement("iframe");
       const embedUrl = this.config.uniqueId ? addParamToUrl(this.config.embedUrl, 'uid', this.config.uniqueId) : this.config.embedUrl;
+      if (!validateEmbedUrl(embedUrl)) {
+        throw new Error(invalidEmbedUrlErrorMessage);
+      }
 
       iframeContent.style.width = '100%';
       iframeContent.style.height = '100%';

dist/powerbi.min.js

@@ -3,4 +3,5 @@
 
 export const APINotSupportedForRDLError = "This API is currently not supported for RDL reports";
 export const EmbedUrlNotSupported = "Embed URL is invalid for this scenario. Please use Power BI REST APIs to get the valid URL";
+export const invalidEmbedUrlErrorMessage: string = "Invalid embed URL detected. Either URL hostname or protocol are invalid. Please use Power BI REST APIs to get the valid URL";
 

src/embed.ts

@@ -29,6 +29,7 @@ import { Visual } from './visual';
 import * as utils from './util';
 import { QuickCreate } from './quickCreate';
 import * as sdkConfig from './config';
+import { invalidEmbedUrlErrorMessage } from './errors';
 
 export interface IEvent<T> {
   type: string;
@@ -667,6 +668,10 @@ export class Service implements IService {
    * @param {HTMLElement} [element=undefined]
    */
   preload(config: IComponentEmbedConfiguration | IEmbedConfigurationBase, element?: HTMLElement): HTMLIFrameElement {
+    if (!utils.validateEmbedUrl(config.embedUrl)) {
+      throw new Error(invalidEmbedUrlErrorMessage);
+    }
+
     const iframeContent = document.createElement("iframe");
     iframeContent.setAttribute("style", "display:none;");
     iframeContent.setAttribute("src", config.embedUrl);

src/errors.ts

@@ -3,6 +3,22 @@
 
 import { HttpPostMessage } from 'http-post-message';
 
+/**
+ * @hidden
+ */
+const allowedPowerBiHostsRegex =
+  new RegExp(/(.+\.powerbi\.com$)|(.+\.fabric\.microsoft\.com$)|(.+\.analysis\.windows-int\.net$)|(.+\.analysis-df\.windows\.net$)/g);
+
+/**
+ * @hidden
+ */
+const allowedPowerBiHostsSovRegex = new RegExp(/^app\.powerbi\.cn$|^app(\.mil\.|\.high\.|\.)powerbigov\.us$|^app\.powerbi\.eaglex\.ic\.gov$|^app\.powerbi\.microsoft\.scloud$/g);
+
+/**
+ * @hidden
+ */
+const expectedEmbedUrlProtocol: string = "https:";
+
 /**
  * Raises a custom event with event data on the specified HTML element.
  *
@@ -223,3 +239,21 @@ export function getTimeDiffInMilliseconds(start: Date, end: Date): number {
 export function isCreate(embedType: string): boolean {
   return embedType === 'create' || embedType === 'quickcreate';
 }
+
+/**
+ * Checks if the embedUrl has an allowed power BI domain
+ * @hidden
+ */
+export function validateEmbedUrl(embedUrl: string): boolean {
+  if (embedUrl) {
+    let url: URL;
+    try {
+      url = new URL(embedUrl.toLowerCase());
+    } catch(e) {
+      // invalid URL
+      return false;
+    }
+    return url.protocol === expectedEmbedUrlProtocol &&
+      (allowedPowerBiHostsRegex.test(url.hostname) || allowedPowerBiHostsSovRegex.test(url.hostname));
+  }
+}

src/service.ts

@@ -48,9 +48,10 @@ describe('SDK-to-HPM', function () {
     };
 
     spyOn(utils, "getTimeDiffInMilliseconds").and.callFake(() => 700); // Prevent requests from being throttled.
+    spyOn(utils, 'validateEmbedUrl').and.callFake(() => { return true; });
 
     powerbi = new service.Service(spyHpmFactory, noop, spyRouterFactory, { wpmpName: 'SDK-to-HPM report wpmp' });
-
+    
     sdkSessionId = powerbi.getSdkSessionId();
   });
 

src/util.ts

@@ -31,6 +31,9 @@ describe('SDK-to-MockApp', function () {
     powerbi = new service.Service(factories.hpmFactory, factories.wpmpFactory, factories.routerFactory, {
       wpmpName: 'SDK-to-MockApp HostWpmp'
     });
+
+    spyOn(utils, 'validateEmbedUrl').and.callFake(() => { return true; });
+
     element = document.createElement('div');
     element.id = "reportContainer1";
     element.className = 'powerbi-report-container2';

test/SDK-to-HPM.spec.ts

@@ -5,6 +5,7 @@ import * as service from '../src/service';
 import * as report from '../src/report';
 import * as Wpmp from 'window-post-message-proxy';
 import * as factories from '../src/factories';
+import * as utils from '../src/util';
 import { spyWpmp } from './utility/mockWpmp';
 import { spyHpm } from './utility/mockHpm';
 import { spyRouter } from './utility/mockRouter';
@@ -17,6 +18,7 @@ describe('SDK-to-WPMP', function () {
   let uniqueId: string;
 
   beforeEach(function () {
+    spyOn(utils, 'validateEmbedUrl').and.callFake(() => { return true; });
     const spyWpmpFactory: factories.IWpmpFactory = (_name?: string, _logMessages?: boolean) => {
       return <Wpmp.WindowPostMessageProxy>spyWpmp;
     };