fix: illegal access errors with nodeIntegrationInSubFrames (#29093)

2021-05-14 13:36:15 +02:00 · 2021-05-14 13:36:15 +02:00 · b7a23450b7
commit b7a23450b7
parent 4073599f59
6 changed files with 104 additions and 4 deletions
--- a/shell/renderer/electron_render_frame_observer.cc
+++ b/shell/renderer/electron_render_frame_observer.cc
@ -79,6 +79,7 @@ void ElectronRenderFrameObserver::DidInstallConditionalFeatures(
  bool is_main_world = IsMainWorld(world_id);
  bool is_main_frame = render_frame_->IsMainFrame();
  bool allow_node_in_sub_frames = prefs.node_integration_in_sub_frames;
+
  bool should_create_isolated_context =
      use_context_isolation && is_main_world &&
      (is_main_frame || allow_node_in_sub_frames);
@ -157,11 +158,23 @@ bool ElectronRenderFrameObserver::IsIsolatedWorld(int world_id) {

 bool ElectronRenderFrameObserver::ShouldNotifyClient(int world_id) {
  auto prefs = render_frame_->GetBlinkPreferences();
+
+  // This is necessary because if an iframe is created and a source is not
+  // set, the iframe loads about:blank and creates a script context for the
+  // same. We don't want to create a Node.js environment here because if the src
+  // is later set, the JS necessary to do that triggers illegal access errors
+  // when the initial about:blank Node.js environment is cleaned up. See:
+  // https://source.chromium.org/chromium/chromium/src/+/main:content/renderer/render_frame_impl.h;l=870-892;drc=4b6001440a18740b76a1c63fa2a002cc941db394
+  GURL url = render_frame_->GetWebFrame()->GetDocument().Url();
  bool allow_node_in_sub_frames = prefs.node_integration_in_sub_frames;
+  if (allow_node_in_sub_frames && url.IsAboutBlank() &&
+      !render_frame_->IsMainFrame())
+    return false;
+
  if (prefs.context_isolation &&
      (render_frame_->IsMainFrame() || allow_node_in_sub_frames))
    return IsIsolatedWorld(world_id);
-  else
+
  return IsMainWorld(world_id);
 }

--- a/shell/renderer/electron_renderer_client.cc
+++ b/shell/renderer/electron_renderer_client.cc
@ -80,12 +80,13 @@ void ElectronRendererClient::DidCreateScriptContext(
  // TODO(zcbenz): Do not create Node environment if node integration is not
  // enabled.

-  // Only load node if we are a main frame or a devtools extension
-  // unless node support has been explicitly enabled for sub frames
+  // Only load Node.js if we are a main frame or a devtools extension
+  // unless Node.js support has been explicitly enabled for subframes.
  auto prefs = render_frame->GetBlinkPreferences();
  bool is_main_frame = render_frame->IsMainFrame();
  bool is_devtools = IsDevToolsExtension(render_frame);
  bool allow_node_in_subframes = prefs.node_integration_in_sub_frames;
+
  bool should_load_node =
      (is_main_frame || is_devtools || allow_node_in_subframes) &&
      !IsWebViewFrame(renderer_context, render_frame);
--- a/shell/renderer/electron_sandboxed_renderer_client.cc
+++ b/shell/renderer/electron_sandboxed_renderer_client.cc
@ -209,8 +209,10 @@ void ElectronSandboxedRendererClient::DidCreateScriptContext(
  bool is_main_frame = render_frame->IsMainFrame();
  bool is_devtools =
      IsDevTools(render_frame) || IsDevToolsExtension(render_frame);
+
  bool allow_node_in_sub_frames =
      render_frame->GetBlinkPreferences().node_integration_in_sub_frames;
+
  bool should_load_preload =
      (is_main_frame || is_devtools || allow_node_in_sub_frames) &&
      !IsWebViewFrame(context, render_frame);
--- a/spec-main/fixtures/crash-cases/js-execute-iframe/index.html
+++ b/spec-main/fixtures/crash-cases/js-execute-iframe/index.html
@ -0,0 +1,29 @@
+<html>
+  <body>
+    <iframe id="mainframe"></iframe>
+    <script>
+      const net = require('net');
+      const path = require('path');
+
+      document.getElementById("mainframe").src="./page2.html";
+
+      const p = process.platform === 'win32'
+              ? path.join('\\\\?\\pipe', process.cwd(), 'myctl')
+              : '/tmp/echo.sock';
+
+      const client = net.createConnection({ path: p }, () => {
+        console.log('connected to server');
+        client.write('world!\r\n');
+      });
+
+      client.on('data', (data) => {
+        console.log(data.toString());
+        client.end();
+      });
+
+      client.on('end', () => {
+        console.log('disconnected from server');
+      });
+    </script>
+  </body>
+</html>
--- a/spec-main/fixtures/crash-cases/js-execute-iframe/index.js
+++ b/spec-main/fixtures/crash-cases/js-execute-iframe/index.js
@ -0,0 +1,51 @@
+const { app, BrowserWindow } = require('electron');
+const net = require('net');
+const path = require('path');
+
+function createWindow () {
+  const mainWindow = new BrowserWindow({
+    webPreferences: {
+      nodeIntegration: true,
+      contextIsolation: false,
+      nodeIntegrationInSubFrames: true
+    }
+  });
+
+  mainWindow.loadFile('index.html');
+}
+
+app.whenReady().then(() => {
+  createWindow();
+
+  app.on('activate', () => {
+    if (BrowserWindow.getAllWindows().length === 0) createWindow();
+  });
+});
+
+app.on('window-all-closed', () => {
+  if (process.platform !== 'darwin') app.quit();
+});
+
+const server = net.createServer((c) => {
+  console.log('client connected');
+
+  c.on('end', () => {
+    console.log('client disconnected');
+    app.quit();
+  });
+
+  c.write('hello\r\n');
+  c.pipe(c);
+});
+
+server.on('error', (err) => {
+  throw err;
+});
+
+const p = process.platform === 'win32'
+  ? path.join('\\\\?\\pipe', process.cwd(), 'myctl')
+  : '/tmp/echo.sock';
+
+server.listen(p, () => {
+  console.log('server bound');
+});
--- a/spec-main/fixtures/crash-cases/js-execute-iframe/page2.html
+++ b/spec-main/fixtures/crash-cases/js-execute-iframe/page2.html
@ -0,0 +1,4 @@
+<!DOCTYPE html>
+<html>
+	<body>HELLO</body>
+</html>