mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

fix: make grant_file_protocol_extra_privileges fuse also block CORS fetches (#40801)

Browse source
This commit is contained in:
Jeremy Rose 2024-01-02 13:06:33 -08:00 committed by GitHub
parent a208d45aca
commit be4e4ff11b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 67 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

28
spec/fuses-spec.ts Normal file
View file

@ -0,0 +1,28 @@
import { expect } from 'chai';
import { startRemoteControlApp } from './lib/spec-helpers';
import { once } from 'node:events';
import { spawn } from 'node:child_process';
import { BrowserWindow } from 'electron';
import path = require('node:path');
describe('fuses', () => {
it('can be enabled by command-line argument during testing', async () => {
const child0 = spawn(process.execPath, ['-v'], { env: { NODE_OPTIONS: '-e 0' } });
const [code0] = await once(child0, 'exit');
// Should exit with 9 because -e is not allowed in NODE_OPTIONS
expect(code0).to.equal(9);
const child1 = spawn(process.execPath, ['--set-fuse-node_options=0', '-v'], { env: { NODE_OPTIONS: '-e 0' } });
const [code1] = await once(child1, 'exit');
// Should print the version and exit with 0
expect(code1).to.equal(0);
});
it('disables fetching file:// URLs when grant_file_protocol_extra_privileges is 0', async () => {
const rc = await startRemoteControlApp(['--set-fuse-grant_file_protocol_extra_privileges=0']);
await expect(rc.remotely(async (fixture: string) => {
const bw = new BrowserWindow({ show: false });
await bw.loadFile(fixture);
return await bw.webContents.executeJavaScript("ajax('file:///etc/passwd')");
}, path.join(__dirname, 'fixtures', 'pages', 'fetch.html'))).to.eventually.be.rejectedWith('Failed to fetch');
});
});