Implementation and further tests for #220

src/browser/settings.jsx

@@ -1,5 +1,9 @@
 'use strict';
 
+window.eval = global.eval = function() {
+  throw new Error("Sorry, Mattermost does not support window.eval() for security reasons.");
+}
+
 const {remote, ipcRenderer} = require('electron');
 const settings = require('../common/settings');
 

src/browser/webview/mattermost.js

@@ -4,6 +4,10 @@ const electron = require('electron');
 const ipc = electron.ipcRenderer;
 const notification = require('../js/notification');
 
+window.eval = global.eval = function() {
+  throw new Error("Sorry, Mattermost does not support window.eval() for security reasons.");
+}
+
 var hasClass = function(element, className) {
   var rclass = /[\t\r\n\f]/g;
   if ((' ' + element.className + ' ').replace(rclass, ' ').indexOf(className) > -1) {

test/specs/security_test.js

@@ -78,12 +78,28 @@ describe('application', function() {
       .windowByIndex(3).isNodeEnabled().should.eventually.be.false;
   });
 
-  it('should NOT be able to call eval in any window', function() {
+  it('should NOT be able to call eval() in any window', function() {
     env.addClientCommands(this.app.client);
-    const client = this.app.client;
-    return this.app.client
-      .windowByIndex(1) // in the first webview
-      .eval()
-      .should.be.rejected;
+    const tryEval = (index) => {
+      return this.app.client
+        .windowByIndex(index)
+        .execute(function() {
+          return eval('1 + 1');
+        }).should.eventually.be.rejected;
+    };
+    const tryEvalInSettingsPage = () => {
+      return this.app.client
+        .windowByIndex(0)
+        .loadSettingsPage()
+        .execute(function() {
+          return eval('1 + 1');
+        }).should.eventually.be.rejected;
+    };
+    return Promise.all([
+      tryEval(0),
+      tryEval(1),
+      tryEval(2),
+      tryEvalInSettingsPage()
+    ]);
   });
 });