feat: only allow bundled preload scripts (#17308)

2019-03-28 11:38:51 +01:00 · 2019-03-28 11:38:51 +01:00 · 8cf15cc931
commit 8cf15cc931
parent 3d307e5610
11 changed files with 79 additions and 3 deletions
--- a/spec/api-web-contents-spec.js
+++ b/spec/api-web-contents-spec.js
@ -3,6 +3,7 @@
 const assert = require('assert')
 const ChildProcess = require('child_process')
 const fs = require('fs')
+const os = require('os')
 const http = require('http')
 const path = require('path')
 const { closeWindow } = require('./window-helpers')
@ -1110,6 +1111,16 @@ describe('webContents module', () => {
  describe('preload-error event', () => {
    const generateSpecs = (description, sandbox) => {
      describe(description, () => {
+        const tmpPreload = path.join(os.tmpdir(), 'preload.js')
+
+        before((done) => {
+          fs.writeFile(tmpPreload, '', done)
+        })
+
+        after((done) => {
+          fs.unlink(tmpPreload, () => done())
+        })
+
        it('is triggered when unhandled exception is thrown', async () => {
          const preload = path.join(fixtures, 'module', 'preload-error-exception.js')

@ -1169,6 +1180,26 @@ describe('webContents module', () => {
          expect(preloadPath).to.equal(preload)
          expect(error.message).to.contain('preload-invalid.js')
        })
+
+        it('is triggered when preload script is outside of app path', async () => {
+          const preload = tmpPreload
+
+          w.destroy()
+          w = new BrowserWindow({
+            show: false,
+            webPreferences: {
+              sandbox,
+              preload
+            }
+          })
+
+          const promise = emittedOnce(w.webContents, 'preload-error')
+          w.loadURL('about:blank')
+
+          const [, preloadPath, error] = await promise
+          expect(preloadPath).to.equal(preload)
+          expect(error.message).to.contain('Preload scripts outside of app path are not allowed')
+        })
      })
    }