fix: security: don't allow arbitrary methods to be invoked on webContents via IPC (#15919)

This commit is contained in:
Milan Burda 2018-12-04 16:12:21 +01:00 committed by Alexey Kuzmin
parent 0a23c0b032
commit aa2b2f7c8f
7 changed files with 115 additions and 90 deletions

View file

@ -4,6 +4,7 @@ const { webContents } = require('electron')
const ipcMain = require('@electron/internal/browser/ipc-main-internal')
const parseFeaturesString = require('@electron/internal/common/parse-features-string')
const errorUtils = require('@electron/internal/common/error-utils')
const { syncMethods, asyncMethods } = require('@electron/internal/common/web-view-methods')
// Doesn't exist in early initialization.
let webViewManager = null
@ -368,7 +369,10 @@ handleMessage('ELECTRON_GUEST_VIEW_MANAGER_ASYNC_CALL', function (event, request
new Promise(resolve => {
const guest = getGuest(guestInstanceId)
if (guest.hostWebContents !== event.sender) {
throw new Error('Access denied')
throw new Error(`Invalid guestInstanceId: ${guestInstanceId}`)
}
if (!asyncMethods.has(method)) {
throw new Error(`Invalid method: ${method}`)
}
if (hasCallback) {
guest[method](...args, resolve)
@ -388,9 +392,12 @@ handleMessage('ELECTRON_GUEST_VIEW_MANAGER_SYNC_CALL', function (event, guestIns
try {
const guest = getGuest(guestInstanceId)
if (guest.hostWebContents !== event.sender) {
throw new Error('Access denied')
throw new Error(`Invalid guestInstanceId: ${guestInstanceId}`)
}
event.returnValue = [null, guest[method].apply(guest, args)]
if (!syncMethods.has(method)) {
throw new Error(`Invalid method: ${method}`)
}
event.returnValue = [null, guest[method](...args)]
} catch (error) {
event.returnValue = [errorUtils.serialize(error)]
}