mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

Disallow launching unknown apps via browser client.

Browse source 
CVE-2018-1000006
This commit is contained in:
Aleš Pergl 2018-01-22 16:49:30 -06:00 committed by Charles Kerr
parent 32a1395bcf
commit c49cb29ddf
17 changed files with 1553 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

48
spec/api-app-spec.js
View file

@ -634,6 +634,54 @@ describe('app module', () => {
})
})
describe('app launch through uri', () => {
before(function () {
if (process.platform !== 'win32') {
this.skip()
}
})
it('does not launch for blacklisted argument', function (done) {
const appPath = path.join(__dirname, 'fixtures', 'api', 'quit-app')
// App should exit with non 123 code.
const first = ChildProcess.spawn(remote.process.execPath, [appPath, 'electron-test://?', '--no-sandbox', '--gpu-launcher=cmd.exe /c start calc'])
first.once('exit', (code) => {
assert.notEqual(code, 123)
done()
})
})
it('launches successfully for multiple uris in cmd args', function (done) {
const appPath = path.join(__dirname, 'fixtures', 'api', 'quit-app')
// App should exit with code 123.
const first = ChildProcess.spawn(remote.process.execPath, [appPath, 'http://electronjs.org', 'electron-test://testdata'])
first.once('exit', (code) => {
assert.equal(code, 123)
done()
})
})
it('does not launch for encoded space', function (done) {
const appPath = path.join(__dirname, 'fixtures', 'api', 'quit-app')
// App should exit with non 123 code.
const first = ChildProcess.spawn(remote.process.execPath, [appPath, 'electron-test://?', '--no-sandbox', '--gpu-launcher%20"cmd.exe /c start calc'])
first.once('exit', (code) => {
assert.notEqual(code, 123)
done()
})
})
it('launches successfully for argnames similar to blacklisted ones', function (done) {
const appPath = path.join(__dirname, 'fixtures', 'api', 'quit-app')
// inspect is blacklisted, but inspector should work, and app launch should succeed
const first = ChildProcess.spawn(remote.process.execPath, [appPath, 'electron-test://?', '--inspector'])
first.once('exit', (code) => {
assert.equal(code, 123)
done()
})
})
})
describe('getFileIcon() API', () => {
const iconPath = path.join(__dirname, 'fixtures/assets/icon.ico')
const sizes = {