fix: ensure no node globals passively leak when nodeIntegration is disabled (#21342)

This commit is contained in:
Samuel Attard 2019-12-02 10:09:47 -08:00 committed by GitHub
parent 66035a2448
commit ee58d60612
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 46 additions and 0 deletions

View file

@ -192,6 +192,8 @@ if (nodeIntegration) {
delete global.setImmediate
delete global.clearImmediate
delete global.global
delete global.root
delete global.GLOBAL
})
}
}

View file

@ -1543,6 +1543,37 @@ describe('BrowserWindow module', () => {
sandbox: true,
contextIsolation: true
})
it('does not leak any node globals on the window object with nodeIntegration is disabled', async () => {
let w = new BrowserWindow({
webPreferences: {
contextIsolation: false,
nodeIntegration: false,
preload: path.resolve(fixtures, 'module', 'empty.js')
},
show: false
})
w.loadFile(path.join(fixtures, 'api', 'globals.html'))
const [, notIsolated] = await emittedOnce(ipcMain, 'leak-result')
expect(notIsolated).to.have.property('globals')
w.destroy()
w = new BrowserWindow({
webPreferences: {
contextIsolation: true,
nodeIntegration: false,
preload: path.resolve(fixtures, 'module', 'empty.js')
},
show: false
})
w.loadFile(path.join(fixtures, 'api', 'globals.html'))
const [, isolated] = await emittedOnce(ipcMain, 'leak-result')
expect(isolated).to.have.property('globals')
const notIsolatedGlobals = new Set(notIsolated.globals)
for (const isolatedGlobal of isolated.globals) {
notIsolatedGlobals.delete(isolatedGlobal)
}
expect([...notIsolatedGlobals]).to.deep.equal([], 'non-isoalted renderer should have no additional globals')
})
it('loads the script before other scripts in window', async () => {
const preload = path.join(fixtures, 'module', 'set-global.js')

13
spec/fixtures/api/globals.html vendored Normal file
View file

@ -0,0 +1,13 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>Document</title>
</head>
<body>
<script>
window.postMessage({
globals: Object.keys(Object.getOwnPropertyDescriptors(window))
})
</script>
</body>
</html>