refactor: Port security warnings to TypeScript (#16937)

* refactor: Port security-warnings to TypeScript

* chore: make aliasify work on .ts files as well

* refactor: Implement feedback <3

* refactor: Correctly call executeJavaScript
This commit is contained in:
Felix Rieseberg 2019-02-16 17:06:30 -08:00 committed by Samuel Attard
parent 0a84c61074
commit 6b3ff4f1f7
5 changed files with 27 additions and 22 deletions

View file

@ -70,7 +70,7 @@ filenames = {
"lib/renderer/ipc-renderer-internal-utils.ts",
"lib/renderer/ipc-renderer-internal.ts",
"lib/renderer/remote.ts",
"lib/renderer/security-warnings.js",
"lib/renderer/security-warnings.ts",
"lib/renderer/web-frame-init.js",
"lib/renderer/window-setup.ts",
"lib/renderer/web-view/guest-view-internal.js",

View file

@ -167,5 +167,6 @@ for (const preloadScript of preloadScripts) {
// Warn about security issues
if (process.isMainFrame) {
require('@electron/internal/renderer/security-warnings')(nodeIntegration)
const { securityWarnings } = require('@electron/internal/renderer/security-warnings')
securityWarnings(nodeIntegration)
}

View file

@ -1,6 +1,7 @@
'use strict'
import { webFrame } from 'electron'
import { invokeSync } from '@electron/internal/renderer/ipc-renderer-internal-utils'
let shouldLog = null
let shouldLog: boolean | null = null
/**
* This method checks if a security message should be logged.
@ -10,7 +11,7 @@ let shouldLog = null
*
* @returns {boolean} - Should we log?
*/
const shouldLogSecurityWarnings = function () {
const shouldLogSecurityWarnings = function (): boolean {
if (shouldLog !== null) {
return shouldLog
}
@ -63,8 +64,6 @@ const getIsRemoteProtocol = function () {
* @returns {boolean} Is a CSP with `unsafe-eval` set?
*/
const isUnsafeEvalEnabled = function () {
const { webFrame } = require('electron')
return new Promise((resolve) => {
webFrame.executeJavaScript(`(${(() => {
try {
@ -73,7 +72,7 @@ const isUnsafeEvalEnabled = function () {
return false
}
return true
}).toString()})()`, resolve)
}).toString()})()`, false, resolve)
})
}
@ -117,7 +116,7 @@ const warnAboutInsecureResources = function () {
*
* Logs a warning message about Node integration.
*/
const warnAboutNodeWithRemoteContent = function (nodeIntegration) {
const warnAboutNodeWithRemoteContent = function (nodeIntegration: boolean) {
if (!nodeIntegration) return
if (getIsRemoteProtocol()) {
@ -141,7 +140,7 @@ const warnAboutNodeWithRemoteContent = function (nodeIntegration) {
*
* Logs a warning message about disabled webSecurity.
*/
const warnAboutDisabledWebSecurity = function (webPreferences) {
const warnAboutDisabledWebSecurity = function (webPreferences?: Electron.WebPreferences) {
if (!webPreferences || webPreferences.webSecurity !== false) return
const warning = `This renderer process has "webSecurity" disabled. This
@ -177,7 +176,7 @@ const warnAboutInsecureCSP = function () {
*
* Logs a warning message about disabled webSecurity.
*/
const warnAboutInsecureContentAllowed = function (webPreferences) {
const warnAboutInsecureContentAllowed = function (webPreferences?: Electron.WebPreferences) {
if (!webPreferences || !webPreferences.allowRunningInsecureContent) return
const warning = `This renderer process has "allowRunningInsecureContent"
@ -193,7 +192,7 @@ const warnAboutInsecureContentAllowed = function (webPreferences) {
*
* Logs a warning message about experimental features.
*/
const warnAboutExperimentalFeatures = function (webPreferences) {
const warnAboutExperimentalFeatures = function (webPreferences?: Electron.WebPreferences) {
if (!webPreferences || (!webPreferences.experimentalFeatures)) {
return
}
@ -211,10 +210,10 @@ const warnAboutExperimentalFeatures = function (webPreferences) {
*
* Logs a warning message about enableBlinkFeatures
*/
const warnAboutEnableBlinkFeatures = function (webPreferences) {
if (webPreferences === null ||
const warnAboutEnableBlinkFeatures = function (webPreferences?: Electron.WebPreferences) {
if (!webPreferences ||
!webPreferences.hasOwnProperty('enableBlinkFeatures') ||
webPreferences.enableBlinkFeatures.length === 0) {
(webPreferences.enableBlinkFeatures && webPreferences.enableBlinkFeatures.length === 0)) {
return
}
@ -252,7 +251,9 @@ const warnAboutAllowedPopups = function () {
// Currently missing since we can't easily programmatically check for it:
// #12WebViews: Verify the options and params of all `<webview>` tags
const logSecurityWarnings = function (webPreferences, nodeIntegration) {
const logSecurityWarnings = function (
webPreferences: Electron.WebPreferences | undefined, nodeIntegration: boolean
) {
warnAboutNodeWithRemoteContent(nodeIntegration)
warnAboutDisabledWebSecurity(webPreferences)
warnAboutInsecureResources()
@ -264,17 +265,14 @@ const logSecurityWarnings = function (webPreferences, nodeIntegration) {
}
const getWebPreferences = function () {
const ipcRendererUtils = require('@electron/internal/renderer/ipc-renderer-internal-utils')
try {
return ipcRendererUtils.invokeSync('ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES')
return invokeSync('ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES')
} catch (error) {
console.warn(`getLastWebPreferences() failed: ${error}`)
return null
}
}
module.exports = function (nodeIntegration) {
export function securityWarnings (nodeIntegration: boolean) {
const loadHandler = function () {
if (shouldLogSecurityWarnings()) {
const webPreferences = getWebPreferences()

View file

@ -168,5 +168,6 @@ for (const { preloadPath, preloadSrc, preloadError } of preloadScripts) {
// Warn about security issues
if (process.isMainFrame) {
require('@electron/internal/renderer/security-warnings')()
const { securityWarnings } = require('@electron/internal/renderer/security-warnings')
securityWarnings()
}

View file

@ -28,3 +28,8 @@ declare namespace NodeJS {
activateUvLoop(): void;
}
}
declare interface Window {
ELECTRON_DISABLE_SECURITY_WARNINGS?: boolean
ELECTRON_ENABLE_SECURITY_WARNINGS?: boolean
}