Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #2976 from atom/node_modules_paths
Prevent Node from adding paths outside the app to search paths
  • Loading branch information
zcbenz committed Oct 3, 2015
2 parents 12f46ab + 01d2765 commit 9a2e2b3
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 23 deletions.
9 changes: 6 additions & 3 deletions atom/browser/lib/init.coffee
Expand Up @@ -7,14 +7,17 @@ Module = require 'module'
# we need to restore it here.
process.argv.splice 1, 1

# Clear search paths.
require path.resolve(__dirname, '..', '..', 'common', 'lib', 'reset-search-paths')

# Import common settings.
require path.resolve(__dirname, '..', '..', 'common', 'lib', 'init')

# Add browser/api/lib to module search paths, which contains javascript part of
# Electron's built-in libraries.
globalPaths = Module.globalPaths
globalPaths.push path.resolve(__dirname, '..', 'api', 'lib')

# Import common settings.
require path.resolve(__dirname, '..', '..', 'common', 'lib', 'init')

if process.platform is 'win32'
# Redirect node's console to use our own implementations, since node can not
# handle console output when running as GUI program.
Expand Down
15 changes: 1 addition & 14 deletions atom/common/lib/init.coffee
Expand Up @@ -9,21 +9,8 @@ process.atomBinding = (name) ->
catch e
process.binding "atom_common_#{name}" if /No such module/.test e.message

# Global module search paths.
globalPaths = Module.globalPaths

# Don't lookup modules in user-defined search paths, see http://git.io/vf8sF.
homeDir =
if process.platform is 'win32'
process.env.USERPROFILE
else
process.env.HOME
if homeDir # Node only add user-defined search paths when $HOME is defined.
userModulePath = path.resolve homeDir, '.node_modules'
globalPaths.splice globalPaths.indexOf(userModulePath), 2

# Add common/api/lib to module search paths.
globalPaths.push path.resolve(__dirname, '..', 'api', 'lib')
Module.globalPaths.push path.resolve(__dirname, '..', 'api', 'lib')

# setImmediate and process.nextTick makes use of uv_check and uv_prepare to
# run the callbacks, however since we only run uv loop on requests, the
Expand Down
29 changes: 29 additions & 0 deletions atom/common/lib/reset-search-paths.coffee
@@ -0,0 +1,29 @@
path = require 'path'
Module = require 'module'

# Clear Node's global search paths.
Module.globalPaths.length = 0

# Clear current and parent(init.coffee)'s search paths.
module.paths = []
module.parent.paths = []

# Prevent Node from adding paths outside this app to search paths.
Module._nodeModulePaths = (from) ->
from = path.resolve from

# If "from" is outside the app then we do nothing.
skipOutsidePaths = from.startsWith process.resourcesPath

# Following logoic is copied from module.js.
splitRe = if process.platform is 'win32' then /[\/\\]/ else /\//
paths = []

parts = from.split splitRe
for part, tip in parts by -1
continue if part is 'node_modules'
dir = parts.slice(0, tip + 1).join path.sep
break if skipOutsidePaths and not dir.startsWith process.resourcesPath
paths.push path.join(dir, 'node_modules')

paths
12 changes: 6 additions & 6 deletions atom/renderer/lib/init.coffee
Expand Up @@ -7,16 +7,16 @@ Module = require 'module'
# atom-renderer.js, we need to restore it here.
process.argv.splice 1, 1

# Clear search paths.
require path.resolve(__dirname, '..', '..', 'common', 'lib', 'reset-search-paths')

# Import common settings.
require path.resolve(__dirname, '..', '..', 'common', 'lib', 'init')

# Add renderer/api/lib to require's search paths, which contains javascript part
# of Atom's built-in libraries.
globalPaths = Module.globalPaths
globalPaths.push path.resolve(__dirname, '..', 'api', 'lib')
# And also app.
globalPaths.push path.join(process.resourcesPath, 'app')
globalPaths.push path.join(process.resourcesPath, 'app.asar')

# Import common settings.
require path.resolve(__dirname, '..', '..', 'common', 'lib', 'init')

# The global variable will be used by ipc for event dispatching
v8Util = process.atomBinding 'v8_util'
Expand Down
1 change: 1 addition & 0 deletions filenames.gypi
Expand Up @@ -37,6 +37,7 @@
'atom/common/api/lib/native-image.coffee',
'atom/common/api/lib/shell.coffee',
'atom/common/lib/init.coffee',
'atom/common/lib/reset-search-paths.coffee',
'atom/renderer/lib/chrome-api.coffee',
'atom/renderer/lib/init.coffee',
'atom/renderer/lib/inspector.coffee',
Expand Down

0 comments on commit 9a2e2b3

Please sign in to comment.