if/SymphonyElectron
1
0
Fork 0
mirror of https://github.com/finos/SymphonyElectron.git synced 2025-02-25 18:55:29 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12 from lneir/add-security-check

Browse Source 
Add security check
This commit is contained in:
Lynn 2017-02-12 17:13:08 -08:00 committed by GitHub
commit 21de6cebe7
3 changed files with 115 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
js/child-preload.js
View File

@ -5,8 +5,6 @@
// to leak some node module into:
// https://medium.com/@leonli/securing-embedded-external-content-in-electron-node-js-8b6ef665cd8e#.fex4e68p7
// https://slack.engineering/building-hybrid-applications-with-electron-dc67686de5fb#.tp6zz1nrk
// as suggested above: consider injecting key into window that can be used to
// validate operations.
//
// also to bring pieces of node.js:
// https://github.com/electron/electron/issues/2984

2
js/main-preload.js
View File

@ -5,8 +5,6 @@
// to leak some node module into:
// https://medium.com/@leonli/securing-embedded-external-content-in-electron-node-js-8b6ef665cd8e#.fex4e68p7
// https://slack.engineering/building-hybrid-applications-with-electron-dc67686de5fb#.tp6zz1nrk
// as suggested above: consider injecting key into window that can be used to
// validate operations.
//
// also to bring pieces of node.js:
// https://github.com/electron/electron/issues/2984

94
js/main.js
View File

@ -2,44 +2,49 @@ const electron = require('electron');
const packageJSON = require('../package.json');
const menuTemplate = require('./menuTemplate.js');
const path = require('path');
const app = electron.app
const BrowserWindow = electron.BrowserWindow;
// Keep a global reference of the window object, if you don't, the window will
// be closed automatically when the JavaScript object is garbage collected.
let mainWindow;
let windows = {};
let willQuitApp = false;
if (require('electron-squirrel-startup')) return;
if (require('electron-squirrel-startup')) {
return;
}
if (isDevEnv()) {
// needed for development env because local server doesn't have cert
app.commandLine.appendSwitch('--ignore-certificate-errors');
}
// Keep a global reference of the window object, if you don't, the window will
// be closed automatically when the JavaScript object is garbage collected.
let mainWindow;
let childWindows = [];
function isDevEnv() {
var isDev = process.env.ELECTRON_DEV ?
let isDev = process.env.ELECTRON_DEV ?
process.env.ELECTRON_DEV.trim().toLowerCase() === "true" : false;
return isDev;
}
function createMainWindow () {
let key = getWindowKey();
// note: for now, turning off node integration as this is causing failure with
// onelogin, jquery can not get initialized. electron's node integration
// conflicts on the window object.
mainWindow = new BrowserWindow({
mainWindow = new electron.BrowserWindow({
title: 'Symphony',
width: 1024, height: 768,
webPreferences: {
sandbox: false,
sandbox: true,
nodeIntegration: false,
preload: path.join(__dirname, '/main-preload.js')
preload: path.join(__dirname, '/main-preload.js'),
winKey: key
}
});
storeWindowKey(key, mainWindow)
mainWindow.loadURL(packageJSON.homepage);
const menu = electron.Menu.buildFromTemplate(menuTemplate(app));
@ -56,6 +61,7 @@ function createMainWindow () {
e.preventDefault();
}
});
mainWindow.on('closed', function () {
// Dereference the window object, usually you would store windows
// in an array if your app supports multi windows, this is the time
@ -70,24 +76,68 @@ function createMainWindow () {
});
}
electron.ipcMain.on('symphony-msg', (event, arg) => {
if (arg && arg.cmd === 'open' && arg.url) {
var width = arg.width || 1024;
var height = arg.height || 768;
var title = arg.title || 'Symphony';
function getWindowKey() {
// generate guid:
// http://stackoverflow.com/questions/105034/create-guid-uuid-in-javascript
function s4() {
return Math.floor((1 + Math.random()) * 0x10000).toString(16)
.substring(1);
}
return s4() + s4() + '-' + s4() + '-' + s4() + '-' +
s4() + '-' + s4() + s4() + s4();
}
let childWindow = new BrowserWindow({
function storeWindowKey(key, browserWin) {
windows[key] = browserWin;
}
/**
* Ensure events comes from a window that we have created.
* @param {EventEmitter} event node emitter event to be tested
* @return {Boolean} returns true if exists otherwise false
*/
function isValidWindow(event) {
if (event && event.sender) {
// validate that event sender is from window we created
let browserWin = electron.BrowserWindow.fromWebContents(event.sender)
let winKey = event.sender.browserWindowOptions &&
event.sender.browserWindowOptions.webPreferences &&
event.sender.browserWindowOptions.webPreferences.winKey;
if (browserWin instanceof electron.BrowserWindow) {
let win = windows[winKey];
return win && win === browserWin;
}
}
return false;
}
electron.ipcMain.on('symphony-msg', (event, arg) => {
if (!isValidWindow(event)) {
console.log('invalid window try to perform action, ignoring action.');
return;
}
if (arg && arg.cmd === 'open' && arg.url) {
let width = arg.width || 1024;
let height = arg.height || 768;
let title = arg.title || 'Symphony';
let winKey = getWindowKey();
let childWindow = new electron.BrowserWindow({
title: title,
width: width,
height: height,
webPreferences: {
sandbox: false,
sandbox: true,
nodeIntegration: false,
preload: path.join(__dirname, '/child-preload.js')
preload: path.join(__dirname, '/child-preload.js'),
winKey: winKey
}
});
childWindows.push(childWindow);
storeWindowKey(winKey, childWindow);
childWindow.loadURL(arg.url);
return;
}
@ -110,7 +160,7 @@ app.on('window-all-closed', function () {
if (process.platform !== 'darwin') {
app.quit();
}
})
});
app.on('activate', function () {
if (mainWindow === null) {