From 81a940f675e3ae677cbcb6c196b16550281f9151 Mon Sep 17 00:00:00 2001 From: Esteban Beltran Date: Fri, 28 Jul 2023 14:04:23 +0200 Subject: [PATCH] Sandbox: Redirect calls to window.location to window.locationSandbox (#72252) --- public/app/features/plugins/sandbox/code_loader.ts | 5 +++++ public/app/features/plugins/sandbox/sandbox_plugin_loader.ts | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/public/app/features/plugins/sandbox/code_loader.ts b/public/app/features/plugins/sandbox/code_loader.ts index e8edbd29760..3c2ff92a5d8 100644 --- a/public/app/features/plugins/sandbox/code_loader.ts +++ b/public/app/features/plugins/sandbox/code_loader.ts @@ -58,10 +58,15 @@ export async function getPluginCode(meta: PluginMeta): Promise { const response = await fetch('public/' + meta.module + '.js'); let pluginCode = await response.text(); pluginCode = patchPluginSourceMap(meta, pluginCode); + pluginCode = patchPluginAPIs(pluginCode); return pluginCode; } } +function patchPluginAPIs(pluginCode: string): string { + return pluginCode.replace(/window\.location/gi, 'window.locationSandbox'); +} + /** * Patches the plugin's module.js source code references to sourcemaps to include the full url * of the module.js file instead of the regular relative reference. diff --git a/public/app/features/plugins/sandbox/sandbox_plugin_loader.ts b/public/app/features/plugins/sandbox/sandbox_plugin_loader.ts index 0e72eb730b3..a779a3a8d70 100644 --- a/public/app/features/plugins/sandbox/sandbox_plugin_loader.ts +++ b/public/app/features/plugins/sandbox/sandbox_plugin_loader.ts @@ -74,6 +74,11 @@ async function doImportPluginModuleInSandbox(meta: PluginMeta): Promise liveTargetCallback: isLiveTarget, // endowments are custom variables we make available to plugins in their window object endowments: Object.getOwnPropertyDescriptors({ + // window.location is unforgeable, we make the location available via endowments + // when the plugin code is loaded, the sandbox replaces the window.location with + // window.locationSandbox. In the future `window.location` could be a proxy if we + // want to intercept calls to it. + locationSandbox: window.location, // Plugins builds use the AMD module system. Their code consists // of a single function call to `define()` that internally contains all the plugin code. // This is that `define` function the plugin will call.