From ee58d6061282e65fa8f16d9e8929f65ed1390dcc Mon Sep 17 00:00:00 2001 From: Samuel Attard Date: Mon, 2 Dec 2019 10:09:47 -0800 Subject: [PATCH] fix: ensure no node globals passively leak when nodeIntegration is disabled (#21342) --- lib/renderer/init.ts | 2 ++ spec-main/api-browser-window-spec.ts | 31 ++++++++++++++++++++++++++++ spec/fixtures/api/globals.html | 13 ++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 spec/fixtures/api/globals.html diff --git a/lib/renderer/init.ts b/lib/renderer/init.ts index c189c2ab8d14..acb941f9e922 100644 --- a/lib/renderer/init.ts +++ b/lib/renderer/init.ts @@ -192,6 +192,8 @@ if (nodeIntegration) { delete global.setImmediate delete global.clearImmediate delete global.global + delete global.root + delete global.GLOBAL }) } } diff --git a/spec-main/api-browser-window-spec.ts b/spec-main/api-browser-window-spec.ts index b597adc8b05a..92fb36455ef8 100644 --- a/spec-main/api-browser-window-spec.ts +++ b/spec-main/api-browser-window-spec.ts @@ -1543,6 +1543,37 @@ describe('BrowserWindow module', () => { sandbox: true, contextIsolation: true }) + it('does not leak any node globals on the window object with nodeIntegration is disabled', async () => { + let w = new BrowserWindow({ + webPreferences: { + contextIsolation: false, + nodeIntegration: false, + preload: path.resolve(fixtures, 'module', 'empty.js') + }, + show: false + }) + w.loadFile(path.join(fixtures, 'api', 'globals.html')) + const [, notIsolated] = await emittedOnce(ipcMain, 'leak-result') + expect(notIsolated).to.have.property('globals') + + w.destroy() + w = new BrowserWindow({ + webPreferences: { + contextIsolation: true, + nodeIntegration: false, + preload: path.resolve(fixtures, 'module', 'empty.js') + }, + show: false + }) + w.loadFile(path.join(fixtures, 'api', 'globals.html')) + const [, isolated] = await emittedOnce(ipcMain, 'leak-result') + expect(isolated).to.have.property('globals') + const notIsolatedGlobals = new Set(notIsolated.globals) + for (const isolatedGlobal of isolated.globals) { + notIsolatedGlobals.delete(isolatedGlobal) + } + expect([...notIsolatedGlobals]).to.deep.equal([], 'non-isoalted renderer should have no additional globals') + }) it('loads the script before other scripts in window', async () => { const preload = path.join(fixtures, 'module', 'set-global.js') diff --git a/spec/fixtures/api/globals.html b/spec/fixtures/api/globals.html new file mode 100644 index 000000000000..f1bfc56037c7 --- /dev/null +++ b/spec/fixtures/api/globals.html @@ -0,0 +1,13 @@ + + + + Document + + + + + \ No newline at end of file