fix: apply module search paths restriction on worker and child process (#41118)

This commit is contained in:
Cheng Zhao 2024-01-26 17:29:04 +09:00 committed by GitHub
parent 6c9f9de40a
commit db2bf1a0d1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 76 additions and 85 deletions

View file

@ -10,9 +10,6 @@ const Module = require('module') as NodeJS.ModuleInternal;
// we need to restore it here.
process.argv.splice(1, 1);
// Clear search paths.
require('../common/reset-search-paths');
// Import common settings.
require('@electron/internal/common/init');

View file

@ -73,3 +73,43 @@ if (process.platform === 'win32') {
}
});
}
const Module = require('module') as NodeJS.ModuleInternal;
// Make a fake Electron module that we will insert into the module cache
const makeElectronModule = (name: string) => {
const electronModule = new Module('electron', null);
electronModule.id = 'electron';
electronModule.loaded = true;
electronModule.filename = name;
Object.defineProperty(electronModule, 'exports', {
get: () => require('electron')
});
Module._cache[name] = electronModule;
};
makeElectronModule('electron');
makeElectronModule('electron/common');
if (process.type === 'browser') {
makeElectronModule('electron/main');
}
if (process.type === 'renderer') {
makeElectronModule('electron/renderer');
}
const originalResolveFilename = Module._resolveFilename;
// 'electron/main', 'electron/renderer' and 'electron/common' are module aliases
// of the 'electron' module for TypeScript purposes, i.e., the types for
// 'electron/main' consist of only main process modules, etc. It is intentional
// that these can be `require()`-ed from both the main process as well as the
// renderer process regardless of the names, they're superficial for TypeScript
// only.
const electronModuleNames = new Set(['electron', 'electron/main', 'electron/renderer', 'electron/common']);
Module._resolveFilename = function (request, parent, isMain, options) {
if (electronModuleNames.has(request)) {
return 'electron';
} else {
return originalResolveFilename(request, parent, isMain, options);
}
};

View file

@ -1,69 +0,0 @@
import * as path from 'path';
const Module = require('module') as NodeJS.ModuleInternal;
// We do not want to allow use of the VM module in the renderer process as
// it conflicts with Blink's V8::Context internal logic.
if (process.type === 'renderer') {
const _load = Module._load;
Module._load = function (request: string) {
if (request === 'vm') {
console.warn('The vm module of Node.js is deprecated in the renderer process and will be removed.');
}
return _load.apply(this, arguments as any);
};
}
// Prevent Node from adding paths outside this app to search paths.
const resourcesPathWithTrailingSlash = process.resourcesPath + path.sep;
const originalNodeModulePaths = Module._nodeModulePaths;
Module._nodeModulePaths = function (from: string) {
const paths: string[] = originalNodeModulePaths(from);
const fromPath = path.resolve(from) + path.sep;
// If "from" is outside the app then we do nothing.
if (fromPath.startsWith(resourcesPathWithTrailingSlash)) {
return paths.filter(function (candidate) {
return candidate.startsWith(resourcesPathWithTrailingSlash);
});
} else {
return paths;
}
};
// Make a fake Electron module that we will insert into the module cache
const makeElectronModule = (name: string) => {
const electronModule = new Module('electron', null);
electronModule.id = 'electron';
electronModule.loaded = true;
electronModule.filename = name;
Object.defineProperty(electronModule, 'exports', {
get: () => require('electron')
});
Module._cache[name] = electronModule;
};
makeElectronModule('electron');
makeElectronModule('electron/common');
if (process.type === 'browser') {
makeElectronModule('electron/main');
}
if (process.type === 'renderer') {
makeElectronModule('electron/renderer');
}
const originalResolveFilename = Module._resolveFilename;
// 'electron/main', 'electron/renderer' and 'electron/common' are module aliases
// of the 'electron' module for TypeScript purposes, i.e., the types for
// 'electron/main' consist of only main process modules, etc. It is intentional
// that these can be `require()`-ed from both the main process as well as the
// renderer process regardless of the names, they're superficial for TypeScript
// only.
const electronModuleNames = new Set(['electron', 'electron/main', 'electron/renderer', 'electron/common']);
Module._resolveFilename = function (request, parent, isMain, options) {
if (electronModuleNames.has(request)) {
return 'electron';
} else {
return originalResolveFilename(request, parent, isMain, options);
}
};

View file

@ -29,3 +29,21 @@ cp.fork = (modulePath: string, args: any, options: any) => {
}
return originalFork(modulePath, args, options);
};
// Prevent Node from adding paths outside this app to search paths.
const path = require('path');
const Module = require('module') as NodeJS.ModuleInternal;
const resourcesPathWithTrailingSlash = process.resourcesPath + path.sep;
const originalNodeModulePaths = Module._nodeModulePaths;
Module._nodeModulePaths = function (from: string) {
const paths: string[] = originalNodeModulePaths(from);
const fromPath = path.resolve(from) + path.sep;
// If "from" is outside the app then we do nothing.
if (fromPath.startsWith(resourcesPathWithTrailingSlash)) {
return paths.filter(function (candidate) {
return candidate.startsWith(resourcesPathWithTrailingSlash);
});
} else {
return paths;
}
};

View file

@ -7,6 +7,16 @@ import type * as ipcRendererUtilsModule from '@electron/internal/renderer/ipc-re
const Module = require('module') as NodeJS.ModuleInternal;
// We do not want to allow use of the VM module in the renderer process as
// it conflicts with Blink's V8::Context internal logic.
const originalModuleLoad = Module._load;
Module._load = function (request: string) {
if (request === 'vm') {
console.warn('The vm module of Node.js is deprecated in the renderer process and will be removed.');
}
return originalModuleLoad.apply(this, arguments as any);
};
// Make sure globals like "process" and "global" are always available in preload
// scripts even after they are deleted in "loaded" script.
//
@ -33,9 +43,6 @@ Module.wrapper = [
// init.js, we need to restore it here.
process.argv.splice(1, 1);
// Clear search paths.
require('../common/reset-search-paths');
// Import common settings.
require('@electron/internal/common/init');

View file

@ -10,9 +10,6 @@ const entryScript: string = v8Util.getHiddenValue(process, '_serviceStartupScrip
// we need to restore it here.
process.argv.splice(1, 1, entryScript);
// Clear search paths.
require('../common/reset-search-paths');
// Import common settings.
require('@electron/internal/common/init');

View file

@ -6,9 +6,6 @@ const Module = require('module') as NodeJS.ModuleInternal;
// init.js, we need to restore it here.
process.argv.splice(1, 1);
// Clear search paths.
require('../common/reset-search-paths');
// Import common settings.
require('@electron/internal/common/init');