build: enable JS semicolons (#22783)
This commit is contained in:
Samuel Attard
GitHub
parent
24e21467b9
commit
5d657dece4
354 changed files with 21512 additions and 21510 deletions
|
|
@ -1,9 +1,9 @@
|
|||
import { webFrame } from 'electron'
|
||||
import { ipcRendererInternal } from '@electron/internal/renderer/ipc-renderer-internal'
|
||||
import { webFrame } from 'electron';
|
||||
import { ipcRendererInternal } from '@electron/internal/renderer/ipc-renderer-internal';
|
||||
|
||||
let shouldLog: boolean | null = null
|
||||
let shouldLog: boolean | null = null;
|
||||
|
||||
const { platform, execPath, env } = process
|
||||
const { platform, execPath, env } = process;
|
||||
|
||||
/**
|
||||
* This method checks if a security message should be logged.
|
||||
|
|
@ -15,37 +15,37 @@ const { platform, execPath, env } = process
|
|||
*/
|
||||
const shouldLogSecurityWarnings = function (): boolean {
|
||||
if (shouldLog !== null) {
|
||||
return shouldLog
|
||||
return shouldLog;
|
||||
}
|
||||
|
||||
switch (platform) {
|
||||
case 'darwin':
|
||||
shouldLog = execPath.endsWith('MacOS/Electron') ||
|
||||
execPath.includes('Electron.app/Contents/Frameworks/')
|
||||
break
|
||||
execPath.includes('Electron.app/Contents/Frameworks/');
|
||||
break;
|
||||
case 'freebsd':
|
||||
case 'linux':
|
||||
shouldLog = execPath.endsWith('/electron')
|
||||
break
|
||||
shouldLog = execPath.endsWith('/electron');
|
||||
break;
|
||||
case 'win32':
|
||||
shouldLog = execPath.endsWith('\\electron.exe')
|
||||
break
|
||||
shouldLog = execPath.endsWith('\\electron.exe');
|
||||
break;
|
||||
default:
|
||||
shouldLog = false
|
||||
shouldLog = false;
|
||||
}
|
||||
|
||||
if ((env && env.ELECTRON_DISABLE_SECURITY_WARNINGS) ||
|
||||
(window && window.ELECTRON_DISABLE_SECURITY_WARNINGS)) {
|
||||
shouldLog = false
|
||||
shouldLog = false;
|
||||
}
|
||||
|
||||
if ((env && env.ELECTRON_ENABLE_SECURITY_WARNINGS) ||
|
||||
(window && window.ELECTRON_ENABLE_SECURITY_WARNINGS)) {
|
||||
shouldLog = true
|
||||
shouldLog = true;
|
||||
}
|
||||
|
||||
return shouldLog
|
||||
}
|
||||
return shouldLog;
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if the current window is remote.
|
||||
|
|
@ -54,9 +54,9 @@ const shouldLogSecurityWarnings = function (): boolean {
|
|||
*/
|
||||
const getIsRemoteProtocol = function () {
|
||||
if (window && window.location && window.location.protocol) {
|
||||
return /^(http|ftp)s?/gi.test(window.location.protocol)
|
||||
return /^(http|ftp)s?/gi.test(window.location.protocol);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if the current window is from localhost.
|
||||
|
|
@ -65,11 +65,11 @@ const getIsRemoteProtocol = function () {
|
|||
*/
|
||||
const isLocalhost = function () {
|
||||
if (!window || !window.location) {
|
||||
return false
|
||||
return false;
|
||||
}
|
||||
|
||||
return window.location.hostname === 'localhost'
|
||||
}
|
||||
return window.location.hostname === 'localhost';
|
||||
};
|
||||
|
||||
/**
|
||||
* Tries to determine whether a CSP without `unsafe-eval` is set.
|
||||
|
|
@ -79,17 +79,17 @@ const isLocalhost = function () {
|
|||
const isUnsafeEvalEnabled = function () {
|
||||
return webFrame.executeJavaScript(`(${(() => {
|
||||
try {
|
||||
new Function('') // eslint-disable-line no-new,no-new-func
|
||||
new Function(''); // eslint-disable-line no-new,no-new-func
|
||||
} catch {
|
||||
return false
|
||||
return false;
|
||||
}
|
||||
return true
|
||||
}).toString()})()`, false)
|
||||
}
|
||||
return true;
|
||||
}).toString()})()`, false);
|
||||
};
|
||||
|
||||
const moreInformation = `\nFor more information and help, consult
|
||||
https://electronjs.org/docs/tutorial/security.\nThis warning will not show up
|
||||
once the app is packaged.`
|
||||
once the app is packaged.`;
|
||||
|
||||
/**
|
||||
* #1 Only load secure content
|
||||
|
|
@ -99,7 +99,7 @@ once the app is packaged.`
|
|||
*/
|
||||
const warnAboutInsecureResources = function () {
|
||||
if (!window || !window.performance || !window.performance.getEntriesByType) {
|
||||
return
|
||||
return;
|
||||
}
|
||||
|
||||
const resources = window.performance
|
||||
|
|
@ -107,20 +107,20 @@ const warnAboutInsecureResources = function () {
|
|||
.filter(({ name }) => /^(http|ftp):/gi.test(name || ''))
|
||||
.filter(({ name }) => new URL(name).hostname !== 'localhost')
|
||||
.map(({ name }) => `- ${name}`)
|
||||
.join('\n')
|
||||
.join('\n');
|
||||
|
||||
if (!resources || resources.length === 0) {
|
||||
return
|
||||
return;
|
||||
}
|
||||
|
||||
const warning = `This renderer process loads resources using insecure
|
||||
protocols. This exposes users of this app to unnecessary security risks.
|
||||
Consider loading the following resources over HTTPS or FTPS. \n${resources}
|
||||
\n${moreInformation}`
|
||||
\n${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (Insecure Resources)',
|
||||
'font-weight: bold;', warning)
|
||||
}
|
||||
'font-weight: bold;', warning);
|
||||
};
|
||||
|
||||
/**
|
||||
* #2 on the checklist: Disable the Node.js integration in all renderers that
|
||||
|
|
@ -129,17 +129,17 @@ const warnAboutInsecureResources = function () {
|
|||
* Logs a warning message about Node integration.
|
||||
*/
|
||||
const warnAboutNodeWithRemoteContent = function (nodeIntegration: boolean) {
|
||||
if (!nodeIntegration || isLocalhost()) return
|
||||
if (!nodeIntegration || isLocalhost()) return;
|
||||
|
||||
if (getIsRemoteProtocol()) {
|
||||
const warning = `This renderer process has Node.js integration enabled
|
||||
and attempted to load remote content from '${window.location}'. This
|
||||
exposes users of this app to severe security risks.\n${moreInformation}`
|
||||
exposes users of this app to severe security risks.\n${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (Node.js Integration with Remote Content)',
|
||||
'font-weight: bold;', warning)
|
||||
'font-weight: bold;', warning);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
// Currently missing since it has ramifications and is still experimental:
|
||||
// #3 Enable context isolation in all renderers that display remote content
|
||||
|
|
@ -153,14 +153,14 @@ const warnAboutNodeWithRemoteContent = function (nodeIntegration: boolean) {
|
|||
* Logs a warning message about disabled webSecurity.
|
||||
*/
|
||||
const warnAboutDisabledWebSecurity = function (webPreferences?: Electron.WebPreferences) {
|
||||
if (!webPreferences || webPreferences.webSecurity !== false) return
|
||||
if (!webPreferences || webPreferences.webSecurity !== false) return;
|
||||
|
||||
const warning = `This renderer process has "webSecurity" disabled. This
|
||||
exposes users of this app to severe security risks.\n${moreInformation}`
|
||||
exposes users of this app to severe security risks.\n${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (Disabled webSecurity)',
|
||||
'font-weight: bold;', warning)
|
||||
}
|
||||
'font-weight: bold;', warning);
|
||||
};
|
||||
|
||||
/**
|
||||
* #6 on the checklist: Define a Content-Security-Policy and use restrictive
|
||||
|
|
@ -170,16 +170,16 @@ const warnAboutDisabledWebSecurity = function (webPreferences?: Electron.WebPref
|
|||
*/
|
||||
const warnAboutInsecureCSP = function () {
|
||||
isUnsafeEvalEnabled().then((enabled) => {
|
||||
if (!enabled) return
|
||||
if (!enabled) return;
|
||||
|
||||
const warning = `This renderer process has either no Content Security
|
||||
Policy set or a policy with "unsafe-eval" enabled. This exposes users of
|
||||
this app to unnecessary security risks.\n${moreInformation}`
|
||||
this app to unnecessary security risks.\n${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
|
||||
'font-weight: bold;', warning)
|
||||
})
|
||||
}
|
||||
'font-weight: bold;', warning);
|
||||
});
|
||||
};
|
||||
|
||||
/**
|
||||
* #7 on the checklist: Do not set allowRunningInsecureContent to true
|
||||
|
|
@ -187,15 +187,15 @@ const warnAboutInsecureCSP = function () {
|
|||
* Logs a warning message about disabled webSecurity.
|
||||
*/
|
||||
const warnAboutInsecureContentAllowed = function (webPreferences?: Electron.WebPreferences) {
|
||||
if (!webPreferences || !webPreferences.allowRunningInsecureContent) return
|
||||
if (!webPreferences || !webPreferences.allowRunningInsecureContent) return;
|
||||
|
||||
const warning = `This renderer process has "allowRunningInsecureContent"
|
||||
enabled. This exposes users of this app to severe security risks.\n
|
||||
${moreInformation}`
|
||||
${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (allowRunningInsecureContent)',
|
||||
'font-weight: bold;', warning)
|
||||
}
|
||||
'font-weight: bold;', warning);
|
||||
};
|
||||
|
||||
/**
|
||||
* #8 on the checklist: Do not enable experimental features
|
||||
|
|
@ -204,16 +204,16 @@ const warnAboutInsecureContentAllowed = function (webPreferences?: Electron.WebP
|
|||
*/
|
||||
const warnAboutExperimentalFeatures = function (webPreferences?: Electron.WebPreferences) {
|
||||
if (!webPreferences || (!webPreferences.experimentalFeatures)) {
|
||||
return
|
||||
return;
|
||||
}
|
||||
|
||||
const warning = `This renderer process has "experimentalFeatures" enabled.
|
||||
This exposes users of this app to some security risk. If you do not need
|
||||
this feature, you should disable it.\n${moreInformation}`
|
||||
this feature, you should disable it.\n${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (experimentalFeatures)',
|
||||
'font-weight: bold;', warning)
|
||||
}
|
||||
'font-weight: bold;', warning);
|
||||
};
|
||||
|
||||
/**
|
||||
* #9 on the checklist: Do not use enableBlinkFeatures
|
||||
|
|
@ -224,16 +224,16 @@ const warnAboutEnableBlinkFeatures = function (webPreferences?: Electron.WebPref
|
|||
if (!webPreferences ||
|
||||
!Object.prototype.hasOwnProperty.call(webPreferences, 'enableBlinkFeatures') ||
|
||||
(webPreferences.enableBlinkFeatures && webPreferences.enableBlinkFeatures.length === 0)) {
|
||||
return
|
||||
return;
|
||||
}
|
||||
|
||||
const warning = `This renderer process has additional "enableBlinkFeatures"
|
||||
enabled. This exposes users of this app to some security risk. If you do not
|
||||
need this feature, you should disable it.\n${moreInformation}`
|
||||
need this feature, you should disable it.\n${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (enableBlinkFeatures)',
|
||||
'font-weight: bold;', warning)
|
||||
}
|
||||
'font-weight: bold;', warning);
|
||||
};
|
||||
|
||||
/**
|
||||
* #10 on the checklist: Do Not Use allowpopups
|
||||
|
|
@ -242,21 +242,21 @@ const warnAboutEnableBlinkFeatures = function (webPreferences?: Electron.WebPref
|
|||
*/
|
||||
const warnAboutAllowedPopups = function () {
|
||||
if (document && document.querySelectorAll) {
|
||||
const domElements = document.querySelectorAll('[allowpopups]')
|
||||
const domElements = document.querySelectorAll('[allowpopups]');
|
||||
|
||||
if (!domElements || domElements.length === 0) {
|
||||
return
|
||||
return;
|
||||
}
|
||||
|
||||
const warning = `A <webview> has "allowpopups" set to true. This exposes
|
||||
users of this app to some security risk, since popups are just
|
||||
BrowserWindows. If you do not need this feature, you should disable it.\n
|
||||
${moreInformation}`
|
||||
${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (allowpopups)',
|
||||
'font-weight: bold;', warning)
|
||||
'font-weight: bold;', warning);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
// Currently missing since we can't easily programmatically check for it:
|
||||
// #11 Verify WebView Options Before Creation
|
||||
|
|
@ -268,19 +268,19 @@ const warnAboutAllowedPopups = function () {
|
|||
// Logs a warning message about the remote module
|
||||
|
||||
const warnAboutRemoteModuleWithRemoteContent = function (webPreferences?: Electron.WebPreferences) {
|
||||
if (!webPreferences || isLocalhost()) return
|
||||
const remoteModuleEnabled = webPreferences.enableRemoteModule != null ? !!webPreferences.enableRemoteModule : true
|
||||
if (!remoteModuleEnabled) return
|
||||
if (!webPreferences || isLocalhost()) return;
|
||||
const remoteModuleEnabled = webPreferences.enableRemoteModule != null ? !!webPreferences.enableRemoteModule : true;
|
||||
if (!remoteModuleEnabled) return;
|
||||
|
||||
if (getIsRemoteProtocol()) {
|
||||
const warning = `This renderer process has "enableRemoteModule" enabled
|
||||
and attempted to load remote content from '${window.location}'. This
|
||||
exposes users of this app to unnecessary security risks.\n${moreInformation}`
|
||||
exposes users of this app to unnecessary security risks.\n${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (enableRemoteModule)',
|
||||
'font-weight: bold;', warning)
|
||||
'font-weight: bold;', warning);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
// Currently missing since we can't easily programmatically check for it:
|
||||
// #16 Filter the `remote` module
|
||||
|
|
@ -288,31 +288,31 @@ const warnAboutRemoteModuleWithRemoteContent = function (webPreferences?: Electr
|
|||
const logSecurityWarnings = function (
|
||||
webPreferences: Electron.WebPreferences | undefined, nodeIntegration: boolean
|
||||
) {
|
||||
warnAboutNodeWithRemoteContent(nodeIntegration)
|
||||
warnAboutDisabledWebSecurity(webPreferences)
|
||||
warnAboutInsecureResources()
|
||||
warnAboutInsecureContentAllowed(webPreferences)
|
||||
warnAboutExperimentalFeatures(webPreferences)
|
||||
warnAboutEnableBlinkFeatures(webPreferences)
|
||||
warnAboutInsecureCSP()
|
||||
warnAboutAllowedPopups()
|
||||
warnAboutRemoteModuleWithRemoteContent(webPreferences)
|
||||
}
|
||||
warnAboutNodeWithRemoteContent(nodeIntegration);
|
||||
warnAboutDisabledWebSecurity(webPreferences);
|
||||
warnAboutInsecureResources();
|
||||
warnAboutInsecureContentAllowed(webPreferences);
|
||||
warnAboutExperimentalFeatures(webPreferences);
|
||||
warnAboutEnableBlinkFeatures(webPreferences);
|
||||
warnAboutInsecureCSP();
|
||||
warnAboutAllowedPopups();
|
||||
warnAboutRemoteModuleWithRemoteContent(webPreferences);
|
||||
};
|
||||
|
||||
const getWebPreferences = async function () {
|
||||
try {
|
||||
return ipcRendererInternal.invoke<Electron.WebPreferences>('ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES')
|
||||
return ipcRendererInternal.invoke<Electron.WebPreferences>('ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES');
|
||||
} catch (error) {
|
||||
console.warn(`getLastWebPreferences() failed: ${error}`)
|
||||
console.warn(`getLastWebPreferences() failed: ${error}`);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
export function securityWarnings (nodeIntegration: boolean) {
|
||||
const loadHandler = async function () {
|
||||
if (shouldLogSecurityWarnings()) {
|
||||
const webPreferences = await getWebPreferences()
|
||||
logSecurityWarnings(webPreferences, nodeIntegration)
|
||||
const webPreferences = await getWebPreferences();
|
||||
logSecurityWarnings(webPreferences, nodeIntegration);
|
||||
}
|
||||
}
|
||||
window.addEventListener('load', loadHandler, { once: true })
|
||||
};
|
||||
window.addEventListener('load', loadHandler, { once: true });
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue