Merge branch 'security-improvements'

For #220
2016-08-09 01:10:19 +09:00
parent ad3d0e7dd9 e1b18cb5f7
commit eac17decf6
5 changed files with 40 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ Release date: TBD
 #### All platforms
 - Changed display of unread messages on the team tabbar, they are now shown as bold text
 - Reload only the selected tab and keep its URL on "Reload" and "Clear Cache and Reload".
 - Disabled `eval()` function for security improvements.
 #### Windows
 - Update Mattermost icon for desktop notifications in Windows 10.
--- a/src/browser/index.jsx
+++ b/src/browser/index.jsx
@@ -1,5 +1,9 @@
 'use strict';
 window.eval = global.eval = function() {
  throw new Error("Sorry, Mattermost does not support window.eval() for security reasons.");
 }
 const React = require('react');
 const ReactDOM = require('react-dom');
 const ReactBootstrap = require('react-bootstrap');
@@ -428,7 +432,7 @@ var MattermostView = React.createClass({
    // Need to keep webview mounted when failed to load.
    return (<div>
              { errorView }
-              <webview id={ this.props.id } className="mattermostView" style={ this.props.style } preload="webview/mattermost.js" src={ this.props.src } ref="webview"></webview>
+              <webview id={ this.props.id } className="mattermostView" style={ this.props.style } preload="webview/mattermost.js" src={ this.props.src } ref="webview" nodeintegration="false"></webview>
            </div>);
  }
 });
--- a/src/browser/settings.jsx
+++ b/src/browser/settings.jsx
@@ -1,5 +1,9 @@
 'use strict';
 window.eval = global.eval = function() {
  throw new Error("Sorry, Mattermost does not support window.eval() for security reasons.");
 }
 const {remote, ipcRenderer} = require('electron');
 const settings = require('../common/settings');
--- a/src/browser/webview/mattermost.js
+++ b/src/browser/webview/mattermost.js
@@ -4,6 +4,10 @@ const electron = require('electron');
 const ipc = electron.ipcRenderer;
 const notification = require('../js/notification');
 window.eval = global.eval = function() {
  throw new Error("Sorry, Mattermost does not support window.eval() for security reasons.");
 }
 var hasClass = function(element, className) {
  var rclass = /[\t\r\n\f]/g;
  if ((' ' + element.className + ' ').replace(rclass, ' ').indexOf(className) > -1) {
--- a/test/specs/security_test.js
+++ b/test/specs/security_test.js
@@ -76,5 +76,30 @@ describe('application', function() {
        });
      }, 5000, 'expected a new window')
      .windowByIndex(3).isNodeEnabled().should.eventually.be.false;
-  })
+  });
  it('should NOT be able to call eval() in any window', function() {
    env.addClientCommands(this.app.client);
    const tryEval = (index) => {
      return this.app.client
        .windowByIndex(index)
        .execute(function() {
          return eval('1 + 1');
        }).should.eventually.be.rejected;
    };
    const tryEvalInSettingsPage = () => {
      return this.app.client
        .windowByIndex(0)
        .loadSettingsPage()
        .execute(function() {
          return eval('1 + 1');
        }).should.eventually.be.rejected;
    };
    return Promise.all([
      tryEval(0),
      tryEval(1),
      tryEval(2),
      tryEvalInSettingsPage()
    ]);
  });
 });