Skip to content
Permalink
Browse files

fix: ensure no node globals passively leak when nodeIntegration is di…

…sabled (#21342)
  • Loading branch information...
MarshallOfSound committed Dec 2, 2019
1 parent 66035a2 commit ee58d6061282e65fa8f16d9e8929f65ed1390dcc
Showing with 46 additions and 0 deletions.
  1. +2 −0 lib/renderer/init.ts
  2. +31 −0 spec-main/api-browser-window-spec.ts
  3. +13 −0 spec/fixtures/api/globals.html
@@ -192,6 +192,8 @@ if (nodeIntegration) {
delete global.setImmediate
delete global.clearImmediate
delete global.global
delete global.root
delete global.GLOBAL
})
}
}
@@ -1543,6 +1543,37 @@ describe('BrowserWindow module', () => {
sandbox: true,
contextIsolation: true
})
it('does not leak any node globals on the window object with nodeIntegration is disabled', async () => {
let w = new BrowserWindow({
webPreferences: {
contextIsolation: false,
nodeIntegration: false,
preload: path.resolve(fixtures, 'module', 'empty.js')
},
show: false
})
w.loadFile(path.join(fixtures, 'api', 'globals.html'))
const [, notIsolated] = await emittedOnce(ipcMain, 'leak-result')
expect(notIsolated).to.have.property('globals')

w.destroy()
w = new BrowserWindow({
webPreferences: {
contextIsolation: true,
nodeIntegration: false,
preload: path.resolve(fixtures, 'module', 'empty.js')
},
show: false
})
w.loadFile(path.join(fixtures, 'api', 'globals.html'))
const [, isolated] = await emittedOnce(ipcMain, 'leak-result')
expect(isolated).to.have.property('globals')
const notIsolatedGlobals = new Set(notIsolated.globals)
for (const isolatedGlobal of isolated.globals) {
notIsolatedGlobals.delete(isolatedGlobal)
}
expect([...notIsolatedGlobals]).to.deep.equal([], 'non-isoalted renderer should have no additional globals')
})

it('loads the script before other scripts in window', async () => {
const preload = path.join(fixtures, 'module', 'set-global.js')
@@ -0,0 +1,13 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>Document</title>
</head>
<body>
<script>
window.postMessage({
globals: Object.keys(Object.getOwnPropertyDescriptors(window))
})
</script>
</body>
</html>

0 comments on commit ee58d60

Please sign in to comment.
You can’t perform that action at this time.