phlux/mattermostest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added two security improvements as mentioned at http://electron.atom.io/docs/all/#checklist

Browse Source
This commit is contained in:
Kolja Lampe
2016-07-22 23:03:03 +02:00
parent 04fe0fd336
commit 54849d6859
2 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/browser/index.jsx
View File

@@ -1,5 +1,9 @@
'use strict'; 'use strict';
window.eval = global.eval = function() {
throw new Error("Sorry, Mattermost does not support window.eval() for security reasons.");
}
const React = require('react'); const React = require('react');
const ReactDOM = require('react-dom'); const ReactDOM = require('react-dom');
const ReactBootstrap = require('react-bootstrap'); const ReactBootstrap = require('react-bootstrap');
@@ -417,7 +421,7 @@ var MattermostView = React.createClass({
// Need to keep webview mounted when failed to load. // Need to keep webview mounted when failed to load.
return (<div> return (<div>
{ errorView } { errorView }
<webview id={ this.props.id } className="mattermostView" style={ this.props.style } preload="webview/mattermost.js" src={ this.props.src } ref="webview"></webview> <webview id={ this.props.id } className="mattermostView" style={ this.props.style } preload="webview/mattermost.js" src={ this.props.src } ref="webview" nodeintegration="false"></webview>
</div>); </div>);
} }
}); });

11
test/specs/security_test.js
View File

@@ -76,5 +76,14 @@ describe('application', function() {
}); });
}, 5000, 'expected a new window') }, 5000, 'expected a new window')
.windowByIndex(3).isNodeEnabled().should.eventually.be.false; .windowByIndex(3).isNodeEnabled().should.eventually.be.false;
}) });
it('should NOT be able to call eval in any window', function() {
env.addClientCommands(this.app.client);
const client = this.app.client;
return this.app.client
.windowByIndex(1) // in the first webview
.eval()
.should.be.rejected;
});
}); });