feat: only allow bundled preload scripts (#17308)

lib/renderer/init.ts

@@ -1,4 +1,5 @@
 import { EventEmitter } from 'events'
+import * as fs from 'fs'
 import * as path from 'path'
 
 const Module = require('module')
@@ -160,10 +161,22 @@ if (nodeIntegration) {
 }
 
 const errorUtils = require('@electron/internal/common/error-utils')
+const { isParentDir } = require('@electron/internal/common/path-utils')
+
+let absoluteAppPath: string
+const getAppPath = function () {
+  if (absoluteAppPath === undefined) {
+    absoluteAppPath = fs.realpathSync(appPath!)
+  }
+  return absoluteAppPath
+}
 
 // Load the preload scripts.
 for (const preloadScript of preloadScripts) {
   try {
+    if (!isParentDir(getAppPath(), fs.realpathSync(preloadScript))) {
+      throw new Error('Preload scripts outside of app path are not allowed')
+    }
     require(preloadScript)
   } catch (error) {
     console.error(`Unable to load preload script: ${preloadScript}`)