feat: add security warnings to sandboxed renderers (#14869)

Also refactor not to use the remote module.
2018-10-03 21:36:12 +02:00 · 2018-10-03 21:36:12 +02:00 · 5efb0fdff1
commit 5efb0fdff1
parent de020d0a5e
5 changed files with 327 additions and 224 deletions
--- a/lib/browser/rpc-server.js
+++ b/lib/browser/rpc-server.js
@ -475,3 +475,11 @@ ipcMain.on('ELECTRON_BROWSER_SANDBOX_LOAD', function (event) {
    }
  }
 })
+
+ipcMain.on('ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES', function (event) {
+  try {
+    event.returnValue = [null, event.sender.getLastWebPreferences()]
+  } catch (error) {
+    event.returnValue = [errorUtils.serialize(error)]
+  }
+})
--- a/lib/renderer/init.js
+++ b/lib/renderer/init.js
@ -27,18 +27,6 @@ v8Util.setHiddenValue(global, 'ipc', new events.EventEmitter())
 // Use electron module after everything is ready.
 const { ipcRenderer } = require('electron')

-const {
-  warnAboutNodeWithRemoteContent,
-  warnAboutDisabledWebSecurity,
-  warnAboutInsecureContentAllowed,
-  warnAboutExperimentalFeatures,
-  warnAboutEnableBlinkFeatures,
-  warnAboutInsecureResources,
-  warnAboutInsecureCSP,
-  warnAboutAllowedPopups,
-  shouldLogSecurityWarnings
-} = require('@electron/internal/renderer/security-warnings')
-
 require('@electron/internal/renderer/web-frame-init')()

 // Process command line arguments.
@ -168,23 +156,7 @@ for (const preloadScript of preloadScripts) {
 }

 // Warn about security issues
-window.addEventListener('load', function loadHandler () {
-  if (shouldLogSecurityWarnings()) {
-    if (nodeIntegration === 'true') {
-      warnAboutNodeWithRemoteContent()
-    }
-
-    warnAboutDisabledWebSecurity()
-    warnAboutInsecureResources()
-    warnAboutInsecureContentAllowed()
-    warnAboutExperimentalFeatures()
-    warnAboutEnableBlinkFeatures()
-    warnAboutInsecureCSP()
-    warnAboutAllowedPopups()
-  }
-
-  window.removeEventListener('load', loadHandler)
-})
+require('@electron/internal/renderer/security-warnings')(nodeIntegration === 'true')

 // Report focus/blur events of webview to browser.
 // Note that while Chromium content APIs have observer for focus/blur, they
--- a/lib/renderer/security-warnings.js
+++ b/lib/renderer/security-warnings.js
@ -77,41 +77,17 @@ const isUnsafeEvalEnabled = function () {
  })
 }

-/**
- * Attempts to get the current webContents. Returns null
- * if that fails
- *
- * @returns {Object|null} webPreferences
- */
-let webPreferences
-const getWebPreferences = function () {
-  try {
-    if (webPreferences) {
-      return webPreferences
-    }
-
-    const { remote } = require('electron')
-    webPreferences = remote.getCurrentWebContents().getLastWebPreferences()
-    return webPreferences
-  } catch (error) {
-    return null
-  }
-}
-
 const moreInformation = `\nFor more information and help, consult
 https://electronjs.org/docs/tutorial/security.\n This warning will not show up
 once the app is packaged.`

-module.exports = {
-  shouldLogSecurityWarnings,
-
 /**
 * #1 Only load secure content
 *
 * Checks the loaded resources on the current page and logs a
 * message about all resources loaded over HTTP or FTP.
 */
-  warnAboutInsecureResources: () => {
+const warnAboutInsecureResources = function () {
  if (!window || !window.performance || !window.performance.getEntriesByType) {
    return
  }
@ -133,7 +109,7 @@ module.exports = {

  console.warn('%cElectron Security Warning (Insecure Resources)',
    'font-weight: bold;', warning)
-  },
+}

 /**
 * #2 on the checklist: Disable the Node.js integration in all renderers that
@ -141,7 +117,9 @@ module.exports = {
 *
 * Logs a warning message about Node integration.
 */
-  warnAboutNodeWithRemoteContent: () => {
+const warnAboutNodeWithRemoteContent = function (nodeIntegration) {
+  if (!nodeIntegration) return
+
  if (getIsRemoteProtocol()) {
    const warning = `This renderer process has Node.js integration enabled
    and attempted to load remote content from '${window.location}'. This
@ -150,7 +128,7 @@ module.exports = {
    console.warn('%cElectron Security Warning (Node.js Integration with Remote Content)',
      'font-weight: bold;', warning)
  }
-  },
+}

 // Currently missing since it has ramifications and is still experimental:
 //   #3 Enable context isolation in all renderers that display remote content
@ -163,8 +141,7 @@ module.exports = {
 *
 * Logs a warning message about disabled webSecurity.
 */
-  warnAboutDisabledWebSecurity: () => {
-    const webPreferences = getWebPreferences()
+const warnAboutDisabledWebSecurity = function (webPreferences) {
  if (!webPreferences || webPreferences.webSecurity !== false) return

  const warning = `This renderer process has "webSecurity" disabled. This
@ -172,7 +149,7 @@ module.exports = {

  console.warn('%cElectron Security Warning (Disabled webSecurity)',
    'font-weight: bold;', warning)
-  },
+}

 /**
 * #6 on the checklist: Define a Content-Security-Policy and use restrictive
@ -182,7 +159,7 @@ module.exports = {
 *
 * Logs a warning message about unset or insecure CSP
 */
-  warnAboutInsecureCSP: () => {
+const warnAboutInsecureCSP = function () {
  isUnsafeEvalEnabled().then((enabled) => {
    if (!enabled) return

@ -193,15 +170,14 @@ module.exports = {
    console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
      'font-weight: bold;', warning)
  })
-  },
+}

 /**
 * #8 on the checklist: Do not set allowRunningInsecureContent to true
 *
 * Logs a warning message about disabled webSecurity.
 */
-  warnAboutInsecureContentAllowed: () => {
-    const webPreferences = getWebPreferences()
+const warnAboutInsecureContentAllowed = function (webPreferences) {
  if (!webPreferences || !webPreferences.allowRunningInsecureContent) return

  const warning = `This renderer process has "allowRunningInsecureContent"
@ -210,15 +186,14 @@ module.exports = {

  console.warn('%cElectron Security Warning (allowRunningInsecureContent)',
    'font-weight: bold;', warning)
-  },
+}

 /**
 * #9 on the checklist: Do not enable experimental features
 *
 * Logs a warning message about experimental features.
 */
-  warnAboutExperimentalFeatures: () => {
-    const webPreferences = getWebPreferences()
+const warnAboutExperimentalFeatures = function (webPreferences) {
  if (!webPreferences || (!webPreferences.experimentalFeatures)) {
    return
  }
@ -229,15 +204,14 @@ module.exports = {

  console.warn('%cElectron Security Warning (experimentalFeatures)',
    'font-weight: bold;', warning)
-  },
+}

 /**
 * #10 on the checklist: Do not use enableBlinkFeatures
 *
 * Logs a warning message about enableBlinkFeatures
 */
-  warnAboutEnableBlinkFeatures: () => {
-    const webPreferences = getWebPreferences()
+const warnAboutEnableBlinkFeatures = function (webPreferences) {
  if (webPreferences === null ||
    !webPreferences.hasOwnProperty('enableBlinkFeatures') ||
    webPreferences.enableBlinkFeatures.length === 0) {
@ -250,14 +224,14 @@ module.exports = {

  console.warn('%cElectron Security Warning (enableBlinkFeatures)',
    'font-weight: bold;', warning)
-  },
+}

 /**
 * #11 on the checklist: Do Not Use allowpopups
 *
 * Logs a warning message about allowed popups
 */
-  warnAboutAllowedPopups: () => {
+const warnAboutAllowedPopups = function () {
  if (document && document.querySelectorAll) {
    const domElements = document.querySelectorAll('[allowpopups]')

@ -277,4 +251,38 @@ module.exports = {

 // Currently missing since we can't easily programmatically check for it:
 //   #12WebViews: Verify the options and params of all `<webview>` tags
+
+const logSecurityWarnings = function (webPreferences, nodeIntegration) {
+  warnAboutNodeWithRemoteContent(nodeIntegration)
+  warnAboutDisabledWebSecurity(webPreferences)
+  warnAboutInsecureResources()
+  warnAboutInsecureContentAllowed(webPreferences)
+  warnAboutExperimentalFeatures(webPreferences)
+  warnAboutEnableBlinkFeatures(webPreferences)
+  warnAboutInsecureCSP()
+  warnAboutAllowedPopups()
+}
+
+const getWebPreferences = function () {
+  const { ipcRenderer } = require('electron')
+  const errorUtils = require('@electron/internal/common/error-utils')
+
+  const [ error, result ] = ipcRenderer.sendSync('ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES')
+
+  if (error) {
+    console.warn(`getLastWebPreferences() failed: ${errorUtils.deserialize(error)}`)
+    return null
+  } else {
+    return result
+  }
+}
+
+module.exports = function (nodeIntegration) {
+  const loadHandler = function () {
+    if (shouldLogSecurityWarnings()) {
+      const webPreferences = getWebPreferences()
+      logSecurityWarnings(webPreferences, nodeIntegration)
+    }
+  }
+  window.addEventListener('load', loadHandler, { once: true })
 }
--- a/lib/sandboxed_renderer/init.js
+++ b/lib/sandboxed_renderer/init.js
@ -115,3 +115,6 @@ if (preloadSrc) {
 } else if (preloadError) {
  console.error(preloadError.stack)
 }
+
+// Warn about security issues
+require('@electron/internal/renderer/security-warnings')()
--- a/spec/security-warnings-spec.js
+++ b/spec/security-warnings-spec.js
@ -84,6 +84,22 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about disabled webSecurity (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        webSecurity: false,
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('Disabled webSecurity'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about insecure Content-Security-Policy', (done) => {
    w = new BrowserWindow({
      show: false,
@ -101,6 +117,23 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about insecure Content-Security-Policy (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        sandbox: true
+      }
+    })
+
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('Insecure Content-Security-Policy'), message)
+      done()
+    })
+
+    useCsp = false
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about allowRunningInsecureContent', (done) => {
    w = new BrowserWindow({
      show: false,
@ -117,6 +150,22 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about allowRunningInsecureContent (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        allowRunningInsecureContent: true,
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('allowRunningInsecureContent'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about experimentalFeatures', (done) => {
    w = new BrowserWindow({
      show: false,
@ -133,6 +182,22 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about experimentalFeatures (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        experimentalFeatures: true,
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('experimentalFeatures'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about enableBlinkFeatures', (done) => {
    w = new BrowserWindow({
      show: false,
@ -149,6 +214,22 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about enableBlinkFeatures (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        enableBlinkFeatures: ['my-cool-feature'],
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('enableBlinkFeatures'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about allowpopups', (done) => {
    w = new BrowserWindow({
      show: false,
@ -164,9 +245,24 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/webview-allowpopups.html`)
  })

+  it('should warn about allowpopups (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('allowpopups'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/webview-allowpopups.html`)
+  })
+
  it('should warn about insecure resources', (done) => {
    w = new BrowserWindow({
-      show: true,
+      show: false,
      webPreferences: {
        nodeIntegration: false
      }
@ -179,4 +275,20 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/insecure-resources.html`)
    w.webContents.openDevTools()
  })
+
+  it('should warn about insecure resources (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('Insecure Resources'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/insecure-resources.html`)
+    w.webContents.openDevTools()
+  })
 })