fix: ensure no node globals passively leak when nodeIntegration is disabled (#21342)

2019-12-02 10:09:47 -08:00 · 2019-12-02 10:09:47 -08:00 · ee58d60612
commit ee58d60612
parent 66035a2448
3 changed files with 46 additions and 0 deletions
--- a/lib/renderer/init.ts
+++ b/lib/renderer/init.ts
@ -192,6 +192,8 @@ if (nodeIntegration) {
      delete global.setImmediate
      delete global.clearImmediate
      delete global.global
+      delete global.root
+      delete global.GLOBAL
    })
  }
 }
--- a/spec-main/api-browser-window-spec.ts
+++ b/spec-main/api-browser-window-spec.ts
@ -1543,6 +1543,37 @@ describe('BrowserWindow module', () => {
        sandbox: true,
        contextIsolation: true
      })
+      it('does not leak any node globals on the window object with nodeIntegration is disabled', async () => {
+        let w = new BrowserWindow({
+          webPreferences: {
+            contextIsolation: false,
+            nodeIntegration: false,
+            preload: path.resolve(fixtures, 'module', 'empty.js')
+          },
+          show: false
+        })
+        w.loadFile(path.join(fixtures, 'api', 'globals.html'))
+        const [, notIsolated] = await emittedOnce(ipcMain, 'leak-result')
+        expect(notIsolated).to.have.property('globals')
+
+        w.destroy()
+        w = new BrowserWindow({
+          webPreferences: {
+            contextIsolation: true,
+            nodeIntegration: false,
+            preload: path.resolve(fixtures, 'module', 'empty.js')
+          },
+          show: false
+        })
+        w.loadFile(path.join(fixtures, 'api', 'globals.html'))
+        const [, isolated] = await emittedOnce(ipcMain, 'leak-result')
+        expect(isolated).to.have.property('globals')
+        const notIsolatedGlobals = new Set(notIsolated.globals)
+        for (const isolatedGlobal of isolated.globals) {
+          notIsolatedGlobals.delete(isolatedGlobal)
+        }
+        expect([...notIsolatedGlobals]).to.deep.equal([], 'non-isoalted renderer should have no additional globals')
+      })

      it('loads the script before other scripts in window', async () => {
        const preload = path.join(fixtures, 'module', 'set-global.js')
--- a/spec/fixtures/api/globals.html
+++ b/spec/fixtures/api/globals.html
@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <title>Document</title>
+</head>
+<body>
+  <script>
+  window.postMessage({
+    globals: Object.keys(Object.getOwnPropertyDescriptors(window))
+  })
+  </script>
+</body>
+</html>