Skip to content

fix: remove unsafe eval() in extensions.js#56481

Open
orbisai0security wants to merge 1 commit intofacebook:mainfrom
orbisai0security:fix-v-002-packages-debugger-frontend-dist-third-party-front-end-models-extensions-extensions.js
Open

fix: remove unsafe eval() in extensions.js#56481
orbisai0security wants to merge 1 commit intofacebook:mainfrom
orbisai0security:fix-v-002-packages-debugger-frontend-dist-third-party-front-end-models-extensions-extensions.js

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented Apr 17, 2026

Summary

Fix critical severity security issue in packages/debugger-frontend/dist/third-party/front_end/models/extensions/extensions.js.

Vulnerability

Field Value
ID V-002
Severity CRITICAL
Scanner multi_agent_ai
Rule V-002
File packages/debugger-frontend/dist/third-party/front_end/models/extensions/extensions.js:1

Description: The evaluateOnInspectedPage handler accepts an arbitrary JavaScript expression string from any registered extension and evaluates it in the context of the inspected web page via the Chrome DevTools Protocol. The only permission check is isAllowedOnTarget(), which verifies the extension's URL pattern policy. Extensions configured with wildcard URL patterns (such as '<all_urls>' or 'https:///') can execute any JavaScript in any inspected page without user confirmation, sandboxing, or expression validation.

Changes

  • packages/debugger-frontend/dist/third-party/front_end/models/extensions/extensions.js

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: remove unsafe eval() in extensions.js
6a4b156 
The evaluateOnInspectedPage handler accepts an arbitrary JavaScript expression string from any registered extension and evaluates it in the context of the inspected web page via the Chrome DevTools Protocol
@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 17, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

Warning

Missing Test Plan

Please add a "## Test Plan" section to your PR description. A Test Plan lets us know how these changes were tested.

Caution

Missing Changelog

Please add a Changelog to your PR description. See Changelog format

@facebook-github-tools facebook-github-tools bot added the Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team. label Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@orbisai0security