ace/worker: Unvalidated dynamic method call

[Tiuipuv]

Describe the bug

Hello Ace Team,

First of all, thank you for this amazing library! We have been using it for over 4 years now, and it provides amazing robust capabilities for our in app code editor interface.

As part of our implementation, we need to resolve potential reported security vulnerabilities recorded by Github's CodeQL engine, including:

• Unvalidated dynamic method call

This issue is present in 2 locations, and has not been previously reported on the issues list:

• https://github.com/ajaxorg/ace/blob/master/lib/ace/worker/worker.js#L214
• https://github.com/ajaxorg/ace/blob/master/experiments/dom.html#L391

We did attempt to follow procedure by reporting to hackerone.com, however hacker one only resolves known/reproducible issues, we are looking for the opposite (confirmation of false positive).

Expected Behavior

The preferred behavior is that the issue is resolved in v1.42+ or acknowledged as a false positive. From all of our research, it appears that all issues cited on worker.js and worker_v2.js are indeed false positives, due to the file only being imported via new Worker(), which prevents any XSS vulnerabilities due to the same origin requirement.

Current Behavior

CodeQL Scanners in GitHub Flag many Critical and High vulnerabilities in our clone of ajaxorg/ace.

Reproduction Steps

• Go to Security tab in ajax/ace
• Click 'Code scanning'
• Review the issue listed above

If that does not reproduce, you can also view them by enabling CodeQL scanner on your repository:

• Go to Settings > Advanced Security tab in ajaxorg/ace
• Under Code Scanning > Tools, turn on CodeQL analysis for master

Possible Solution

Declare the above to be false positives, or acknowledge them as potential issues that will be investigated.

Additional Information/Context

In addition to the above, we also have the below security findings, if you have time to comment on them as well, that would be highly beneficial:

• Unsafe dynamic method access

  • ace/lib/ace/worker/worker_v2.js

    Line 77 in 896c9da

    else if (window[msg.command]) window[msg.command].apply(window, msg.args);

  • ace/lib/ace/worker/worker.js

    Line 206 in 896c9da

    window[msg.command].apply(window, msg.args);

• Incomplete URL substring sanitization
  • https://raw.githubusercontent.com/ajaxorg/ace/refs/heads/master/lib/ace/mode/xquery/xqlint.js (L695)
    • Note we have reported this to the maintainer of xqlint here, if a PR is needed we are happy to facilitate what is needed.
• Missing origin verification in postMessage handler

  • ace/lib/ace/worker/worker_v2.js

    Line 71 in 896c9da

    window.onmessage = function (e) {

Ace Version / Browser / OS / Keyboard layout

1.39.0/chrome/windows/qwerty