fix: ensure no node globals passively leak when nodeIntegration is disabled (#21342)
This commit is contained in:
Samuel Attard
GitHub
parent
66035a2448
commit
ee58d60612
3 changed files with 46 additions and 0 deletions
|
|
@ -192,6 +192,8 @@ if (nodeIntegration) {
|
||||||
delete global.setImmediate
|
delete global.setImmediate
|
||||||
delete global.clearImmediate
|
delete global.clearImmediate
|
||||||
delete global.global
|
delete global.global
|
||||||
|
delete global.root
|
||||||
|
delete global.GLOBAL
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1543,6 +1543,37 @@ describe('BrowserWindow module', () => {
|
||||||
sandbox: true,
|
sandbox: true,
|
||||||
contextIsolation: true
|
contextIsolation: true
|
||||||
})
|
})
|
||||||
|
it('does not leak any node globals on the window object with nodeIntegration is disabled', async () => {
|
||||||
|
let w = new BrowserWindow({
|
||||||
|
webPreferences: {
|
||||||
|
contextIsolation: false,
|
||||||
|
nodeIntegration: false,
|
||||||
|
preload: path.resolve(fixtures, 'module', 'empty.js')
|
||||||
|
},
|
||||||
|
show: false
|
||||||
|
})
|
||||||
|
w.loadFile(path.join(fixtures, 'api', 'globals.html'))
|
||||||
|
const [, notIsolated] = await emittedOnce(ipcMain, 'leak-result')
|
||||||
|
expect(notIsolated).to.have.property('globals')
|
||||||
|
|
||||||
|
w.destroy()
|
||||||
|
w = new BrowserWindow({
|
||||||
|
webPreferences: {
|
||||||
|
contextIsolation: true,
|
||||||
|
nodeIntegration: false,
|
||||||
|
preload: path.resolve(fixtures, 'module', 'empty.js')
|
||||||
|
},
|
||||||
|
show: false
|
||||||
|
})
|
||||||
|
w.loadFile(path.join(fixtures, 'api', 'globals.html'))
|
||||||
|
const [, isolated] = await emittedOnce(ipcMain, 'leak-result')
|
||||||
|
expect(isolated).to.have.property('globals')
|
||||||
|
const notIsolatedGlobals = new Set(notIsolated.globals)
|
||||||
|
for (const isolatedGlobal of isolated.globals) {
|
||||||
|
notIsolatedGlobals.delete(isolatedGlobal)
|
||||||
|
}
|
||||||
|
expect([...notIsolatedGlobals]).to.deep.equal([], 'non-isoalted renderer should have no additional globals')
|
||||||
|
})
|
||||||
|
|
||||||
it('loads the script before other scripts in window', async () => {
|
it('loads the script before other scripts in window', async () => {
|
||||||
const preload = path.join(fixtures, 'module', 'set-global.js')
|
const preload = path.join(fixtures, 'module', 'set-global.js')
|
||||||
|
|
|
||||||
13
spec/fixtures/api/globals.html
vendored
Normal file
13
spec/fixtures/api/globals.html
vendored
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="en">
|
||||||
|
<head>
|
||||||
|
<title>Document</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<script>
|
||||||
|
window.postMessage({
|
||||||
|
globals: Object.keys(Object.getOwnPropertyDescriptors(window))
|
||||||
|
})
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
Loading…
Add table
Add a link
Reference in a new issue