nodeIntegrationInWorker check added

doyensec · Oct 31, 2018 · 7f0ba54 · 7f0ba54
1 parent c37e73c
commit 7f0ba54
Show file tree

Hide file tree

Showing 15 changed files with 130 additions and 70 deletions.
diff --git a/src/finder/ast.js b/src/finder/ast.js
@@ -61,8 +61,13 @@ export class EsprimaAst extends Ast {
           if (stopAtFirst)
             return estraverse.VisitorOption.Break;
         }
-        if ((max_depth > 0) && (depth === max_depth))
-          return estraverse.VisitorOption.Skip;
+        if (max_depth > 0) {
+          if (depth > max_depth)
+            throw new Error('Traversal error'); // shouldn't be here
+
+          if (depth === max_depth)
+            return estraverse.VisitorOption.Skip;
+        }
       },
       leave: () => {
         depth -= 1;
@@ -101,9 +106,14 @@ export class BabelAst extends Ast {
             return;
           }
         }
-        if ((max_depth > 0) && (depth === max_depth)) {
-          node.skip();
-          depth -= 1; // exit will be not called
+        if (max_depth > 0) {
+          if (depth > max_depth)
+            throw new Error('Traversal error'); // shouldn't be here
+
+          if (depth === max_depth) {
+            node.skip();
+            depth -= 1; // exit will be not called
+          }
         }
       },
       exit: (node) => {
@@ -142,27 +152,28 @@ export class ESLintAst extends Ast {
   findNode(ast, max_depth, stopAtFirst, found) {
     const nodes = [];
     let depth = 0;
-    let shouldStop = false;
     this.esLintTraverser.traverse(ast, {
       enter: (node) => {
+        if (max_depth > 0) {
+          if (depth === max_depth) {
+            this.esLintTraverser.skip();
+            return;
+          }
+          if (depth > max_depth)
+            throw new Error('Traversal error'); // shouldn't be here
+        }
+
         depth += 1;
         if (found(this.getNode(node))) {
           nodes.push(this.getNode(node));
           if (stopAtFirst) {
-            shouldStop = true;
             this.esLintTraverser.break();
             return;
           }
         }
-        if ((max_depth > 0) && (depth === max_depth)) {
-          this.esLintTraverser.break();
-          depth -= 1; // leave will be not called
-        }
       },
       leave: () => {
         depth -= 1;
-        if (shouldStop)
-          this.esLintTraverser.stop();
       },
     });
     return nodes;

diff --git a/src/finder/checks/NodeIntegrationJavascriptCheck.js b/src/finder/checks/NodeIntegrationJavascriptCheck.js
@@ -11,27 +11,40 @@ export default class NodeIntegrationJavascriptCheck {
     if (data.type !== 'NewExpression') return null;
     if (data.callee.name !== 'BrowserWindow') return null;
 
-    const parent_loc = [{ line: data.loc.start.line, column: data.loc.start.column, id: this.id, description: this.description, manualReview: false }];
     let set = false;
     let loc = [];
     for (const arg of data.arguments) {
-      const found_nodes = ast.findNodeByType(arg, ast.PropertyName, ast.PropertyDepth, true, node => (node.key.value === 'nodeIntegration' || node.key.name === 'nodeIntegration'));
-      for (const node of found_nodes) {
-        // in practice if there are two keys with the same name, the value of the last one wins
-        // but technically it is an invalid json
-        // just to be on the safe side show a warning if any value is insecure
-        set = true;
-        if (node.value.value === false)
-          continue; // anything other than false is ignored
-
-        loc.push({ line: node.key.loc.start.line, column: node.key.loc.start.column, id: this.id, description: this.description, manualReview: false });
-      }
+      set = this.findNode(ast, arg, 'nodeIntegration', loc);
+      // nodeIntegrationInWorker default value is safe
+      // so no check for return value (don't care if it was found)
+      this.findNode(ast, arg, 'nodeIntegrationInWorker', loc);
     }
 
     if (!set) {
-      return parent_loc;
+      loc.push({ line: data.loc.start.line, column: data.loc.start.column, id: this.id, description: this.description, manualReview: false });
     }
 
     return loc;
   }
+
+  findNode(ast, startNode, name, locations) {
+    let found = false;
+
+    const nodes = ast.findNodeByType(startNode, ast.PropertyName, ast.PropertyDepth, false, node => {
+      return node.key.value === name || node.key.name === name;
+    });
+
+    for (const node of nodes) {
+      // in practice if there are two keys with the same name, the value of the last one wins
+      // but technically it is an invalid json
+      // just to be on the safe side show a warning if any value is insecure
+      found = true;
+      if (node.value.value === false)
+        continue; // anything other than false is ignored
+
+      locations.push({ line: node.key.loc.start.line, column: node.key.loc.start.column, id: this.id, description: this.description, manualReview: false });
+    }
+
+    return found;
+  }
 }
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_1_0.js b/test/checks/NODE_INTEGRATION_JS_CHECK_1_0.js
@@ -1,9 +1,9 @@
 mainWindow = new BrowserWindow({ "webPreferences": {
   "nodeIntegration": false,
-  "nodeIntegrationInWorker": 1 }
+  "nodeIntegrationInWorker": false }
 });
 
 mainWindow = new BrowserWindow({ webPreferences: {
   nodeIntegration: false,
-  nodeIntegrationInWorker: 1 }
+  nodeIntegrationInWorker: false }
 });
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_1_0.ts b/test/checks/NODE_INTEGRATION_JS_CHECK_1_0.ts
@@ -8,14 +8,14 @@ export default function initialize() {
     mainWindow = new BrowserWindow({
       "webPreferences": {
         "nodeIntegration": false,
-        "nodeIntegrationInWorker": 1
+        "nodeIntegrationInWorker": false
       }
     });
 
     mainWindow = new BrowserWindow({
       webPreferences: {
         nodeIntegration: false,
-        nodeIntegrationInWorker: 1
+        nodeIntegrationInWorker: false
       }
     });
   }

diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_1_4.js b/test/checks/NODE_INTEGRATION_JS_CHECK_1_4.js
@@ -1,19 +1,19 @@
 mainWindow = new BrowserWindow({ "webPreferences": {
   "nodeIntegration": true,
-  "nodeIntegrationInWorker": 1 }
+  "nodeIntegrationInWorker": false }
 });
 
 mainWindow = new BrowserWindow({ "webPreferences": {
   "nodeIntegration": 0,
-  "nodeIntegrationInWorker": 1 }
+  "nodeIntegrationInWorker": false }
 });
 
 mainWindow = new BrowserWindow({ webPreferences: {
   nodeIntegration: true,
-  nodeIntegrationInWorker: 1 }
+  nodeIntegrationInWorker: false }
 });
 
 mainWindow = new BrowserWindow({ webPreferences: {
   nodeIntegration: 0,
-  nodeIntegrationInWorker: 1 }
+  nodeIntegrationInWorker: false }
 });
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_1_4.ts b/test/checks/NODE_INTEGRATION_JS_CHECK_1_4.ts
@@ -8,28 +8,28 @@ export default function initialize() {
     mainWindow = new BrowserWindow({
       "webPreferences": {
         "nodeIntegration": true,
-        "nodeIntegrationInWorker": 1
+        "nodeIntegrationInWorker": false
       }
     });
 
     mainWindow = new BrowserWindow({
       "webPreferences": {
         "nodeIntegration": 0,
-        "nodeIntegrationInWorker": 1
+        "nodeIntegrationInWorker": false
       }
     });
 
     mainWindow = new BrowserWindow({
       webPreferences: {
         nodeIntegration: true,
-        nodeIntegrationInWorker: 1
+        nodeIntegrationInWorker: false
       }
     });
 
     mainWindow = new BrowserWindow({
       webPreferences: {
         nodeIntegration: 0,
-        nodeIntegrationInWorker: 1
+        nodeIntegrationInWorker: false
       }
     });
   }

diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_2_1.js b/test/checks/NODE_INTEGRATION_JS_CHECK_2_1.js
@@ -1,4 +1,4 @@
 mainWindow = new BrowserWindow({ "webPreferences": {
   "nodeIntegration": 1,
-  "nodeIntegrationInWorker": 1 }
+  "nodeIntegrationInWorker": false }
 });
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_2_1.ts b/test/checks/NODE_INTEGRATION_JS_CHECK_2_1.ts
@@ -8,7 +8,7 @@ export default function initialize() {
     mainWindow = new BrowserWindow({
       "webPreferences": {
         "nodeIntegration": 1,
-        "nodeIntegrationInWorker": 1
+        "nodeIntegrationInWorker": false
       }
     });
   }

diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_3_1.js b/test/checks/NODE_INTEGRATION_JS_CHECK_3_1.js
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_3_1.ts b/test/checks/NODE_INTEGRATION_JS_CHECK_3_1.ts
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_3_2.js b/test/checks/NODE_INTEGRATION_JS_CHECK_3_2.js
@@ -0,0 +1,9 @@
+mainWindow = new BrowserWindow({ "webPreferences": {
+  "nodeIntegration": false,
+  "nodeIntegrationInWorker": true }
+});
+
+mainWindow = new BrowserWindow({ webPreferences: {
+  nodeIntegration: false,
+  nodeIntegrationInWorker: true }
+});
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_4_2.ts → test/checks/NODE_INTEGRATION_JS_CHECK_3_2.ts b/test/checks/NODE_INTEGRATION_JS_CHECK_4_2.ts → test/checks/NODE_INTEGRATION_JS_CHECK_3_2.ts
@@ -7,14 +7,15 @@ export default function initialize() {
   function createWindow() {
     mainWindow = new BrowserWindow({
       "webPreferences": {
-        "nodeIntegrationInWorker": 1
+        "nodeIntegration": false,
+        "nodeIntegrationInWorker": true
       }
     });
 
-    otherWindow = new BrowserWindow({
-      "webPreferences": {
-        "nodeIntegration": 1,
-        "nodeIntegrationInWorker": 1
+    mainWindow = new BrowserWindow({
+      webPreferences: {
+        nodeIntegration: false,
+        nodeIntegrationInWorker: true
       }
     });
   }

diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_4_2.js b/test/checks/NODE_INTEGRATION_JS_CHECK_4_2.js
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_4_4.js b/test/checks/NODE_INTEGRATION_JS_CHECK_4_4.js
@@ -0,0 +1,17 @@
+mainWindow = new BrowserWindow({ "webPreferences": {
+  "nodeIntegrationInWorker": false }
+});
+
+otherWindow = new BrowserWindow({ "webPreferences": {
+  "nodeIntegration": 1,
+  "nodeIntegrationInWorker": false }
+});
+
+mainWindow = new BrowserWindow({ webPreferences: {
+  nodeIntegrationInWorker: false }
+});
+
+otherWindow = new BrowserWindow({ webPreferences: {
+  nodeIntegration: 1,
+  nodeIntegrationInWorker: false }
+});
diff --git a/test/checks/NODE_INTEGRATION_JS_CHECK_4_4.ts b/test/checks/NODE_INTEGRATION_JS_CHECK_4_4.ts
@@ -0,0 +1,34 @@
+import { BrowserWindow } from "electron";
+
+export default function initialize() {
+
+  let mainWindow: BrowserWindow | undefined;
+
+  function createWindow() {
+    mainWindow = new BrowserWindow({
+      "webPreferences": {
+        "nodeIntegrationInWorker": false
+      }
+    });
+
+    mainWindow = new BrowserWindow({
+      "webPreferences": {
+        "nodeIntegration": 1,
+        "nodeIntegrationInWorker": false
+      }
+    });
+
+    mainWindow = new BrowserWindow({
+      webPreferences: {
+        nodeIntegrationInWorker: false
+      }
+    });
+
+    mainWindow = new BrowserWindow({
+      webPreferences: {
+        nodeIntegration: 1,
+        nodeIntegrationInWorker: false
+      }
+    });
+  }
+}