From 01d2765e4b566df853cd583006ebc7993d48cd38 Mon Sep 17 00:00:00 2001 From: Cheng Zhao Date: Sat, 3 Oct 2015 20:38:39 +0800 Subject: [PATCH] Prevent Node from adding paths outside this app to search paths --- atom/browser/lib/init.coffee | 3 +++ atom/common/lib/init.coffee | 6 +---- atom/common/lib/reset-search-paths.coffee | 29 +++++++++++++++++++++++ atom/renderer/lib/init.coffee | 3 +++ filenames.gypi | 1 + 5 files changed, 37 insertions(+), 5 deletions(-) create mode 100644 atom/common/lib/reset-search-paths.coffee diff --git a/atom/browser/lib/init.coffee b/atom/browser/lib/init.coffee index 44ae29522ebf..b394c0fecc28 100644 --- a/atom/browser/lib/init.coffee +++ b/atom/browser/lib/init.coffee @@ -7,6 +7,9 @@ Module = require 'module' # we need to restore it here. process.argv.splice 1, 1 +# Clear search paths. +require path.resolve(__dirname, '..', '..', 'common', 'lib', 'reset-search-paths') + # Import common settings. require path.resolve(__dirname, '..', '..', 'common', 'lib', 'init') diff --git a/atom/common/lib/init.coffee b/atom/common/lib/init.coffee index 2bfea3d72afa..1c80e6171a4d 100644 --- a/atom/common/lib/init.coffee +++ b/atom/common/lib/init.coffee @@ -9,12 +9,8 @@ process.atomBinding = (name) -> catch e process.binding "atom_common_#{name}" if /No such module/.test e.message -# Clear node's global search paths. -globalPaths = Module.globalPaths -globalPaths.length = 0 - # Add common/api/lib to module search paths. -globalPaths.push path.resolve(__dirname, '..', 'api', 'lib') +Module.globalPaths.push path.resolve(__dirname, '..', 'api', 'lib') # setImmediate and process.nextTick makes use of uv_check and uv_prepare to # run the callbacks, however since we only run uv loop on requests, the diff --git a/atom/common/lib/reset-search-paths.coffee b/atom/common/lib/reset-search-paths.coffee new file mode 100644 index 000000000000..7061103306aa --- /dev/null +++ b/atom/common/lib/reset-search-paths.coffee @@ -0,0 +1,29 @@ +path = require 'path' +Module = require 'module' + +# Clear Node's global search paths. +Module.globalPaths.length = 0 + +# Clear current and parent(init.coffee)'s search paths. +module.paths = [] +module.parent.paths = [] + +# Prevent Node from adding paths outside this app to search paths. +Module._nodeModulePaths = (from) -> + from = path.resolve from + + # If "from" is outside the app then we do nothing. + skipOutsidePaths = from.startsWith process.resourcesPath + + # Following logoic is copied from module.js. + splitRe = if process.platform is 'win32' then /[\/\\]/ else /\// + paths = [] + + parts = from.split splitRe + for part, tip in parts by -1 + continue if part is 'node_modules' + dir = parts.slice(0, tip + 1).join path.sep + break if skipOutsidePaths and not dir.startsWith process.resourcesPath + paths.push path.join(dir, 'node_modules') + + paths diff --git a/atom/renderer/lib/init.coffee b/atom/renderer/lib/init.coffee index e5173fcd1ec8..b7224b39aeed 100644 --- a/atom/renderer/lib/init.coffee +++ b/atom/renderer/lib/init.coffee @@ -7,6 +7,9 @@ Module = require 'module' # atom-renderer.js, we need to restore it here. process.argv.splice 1, 1 +# Clear search paths. +require path.resolve(__dirname, '..', '..', 'common', 'lib', 'reset-search-paths') + # Import common settings. require path.resolve(__dirname, '..', '..', 'common', 'lib', 'init') diff --git a/filenames.gypi b/filenames.gypi index 0e7010d7a4cf..000633fb96b1 100644 --- a/filenames.gypi +++ b/filenames.gypi @@ -37,6 +37,7 @@ 'atom/common/api/lib/native-image.coffee', 'atom/common/api/lib/shell.coffee', 'atom/common/lib/init.coffee', + 'atom/common/lib/reset-search-paths.coffee', 'atom/renderer/lib/chrome-api.coffee', 'atom/renderer/lib/init.coffee', 'atom/renderer/lib/inspector.coffee',