fix: security: don't allow arbitrary methods to be invoked on webContents via IPC (#15919)

2018-12-04 16:12:21 +01:00 · 2018-12-04 16:12:21 +01:00 · aa2b2f7c8f
commit aa2b2f7c8f
parent 0a23c0b032
7 changed files with 115 additions and 90 deletions
--- a/lib/common/web-view-methods.js
+++ b/lib/common/web-view-methods.js
@ -0,0 +1,67 @@
+'use strict'
+
+// Public-facing API methods.
+exports.syncMethods = new Set([
+  'getURL',
+  'loadURL',
+  'getTitle',
+  'isLoading',
+  'isLoadingMainFrame',
+  'isWaitingForResponse',
+  'stop',
+  'reload',
+  'reloadIgnoringCache',
+  'canGoBack',
+  'canGoForward',
+  'canGoToOffset',
+  'clearHistory',
+  'goBack',
+  'goForward',
+  'goToIndex',
+  'goToOffset',
+  'isCrashed',
+  'setUserAgent',
+  'getUserAgent',
+  'openDevTools',
+  'closeDevTools',
+  'isDevToolsOpened',
+  'isDevToolsFocused',
+  'inspectElement',
+  'setAudioMuted',
+  'isAudioMuted',
+  'isCurrentlyAudible',
+  'undo',
+  'redo',
+  'cut',
+  'copy',
+  'paste',
+  'pasteAndMatchStyle',
+  'delete',
+  'selectAll',
+  'unselect',
+  'replace',
+  'replaceMisspelling',
+  'findInPage',
+  'stopFindInPage',
+  'downloadURL',
+  'inspectServiceWorker',
+  'showDefinitionForSelection',
+  'setZoomFactor',
+  'setZoomLevel'
+])
+
+exports.asyncMethods = new Set([
+  'insertCSS',
+  'insertText',
+  'send',
+  'sendInputEvent',
+  'setLayoutZoomLevelLimits',
+  'setVisualZoomLevelLimits',
+  // with callback
+  'capturePage',
+  'executeJavaScript',
+  'getZoomFactor',
+  'getZoomLevel',
+  'print',
+  'printToPDF'
+])