PinchTab Security-Policy Bypass Vulnerability Allowing Arbitrary JavaScript Execution

A security-policy bypass vulnerability has been identified in PinchTab versions 0.8.3 through 0.8.5. This vulnerability allows authenticated users to execute arbitrary JavaScript in the context of a Chrome browser tab, even when JavaScript execution is disabled by default. The issue arises in the 'POST /wait' and 'POST /tabs/{id}/wait' endpoints, which accepted user-controlled 'fn' expressions, embedded them into executable JavaScript, and evaluated them in the browser context without proper security checks. While the 'POST /evaluate' endpoint correctly enforces the 'security.allowEvaluate' guard, the '/wait' endpoint in the affected versions does not, leading to inconsistent security policies between the two endpoints.

Impact

Exploitation of this vulnerability bypasses the 'security.allowEvaluate' control, allowing arbitrary JavaScript execution in the browser tab context for authenticated users with a server API token. This execution can read or modify the page state and interact within authenticated browser sessions available to that tab.

Reproduction

To reproduce this vulnerability, first confirm that the 'security.allowEvaluate' setting is disabled. Then, open a tab using the API and execute JavaScript through the '/wait' endpoint using 'fn' mode. The JavaScript will be executed in the context of the opened tab, demonstrating the vulnerability by, for example, modifying the page state and confirming the change through a subsequent request.

Remediation

The vulnerability has been addressed in the current worktree by making the 'fn' mode in the '/wait' endpoint respect the same 'security.allowEvaluate' policy that the '/evaluate' endpoint enforces. Users should update to the patched version once it is released.