✨ hijack accessing window object with globalThis keyword (#1246)

2021-02-01 14:41:08 +08:00 · 2021-02-01 14:41:08 +08:00 · 92bddae77c
commit 92bddae77c
parent 5c3d278648
2 changed files with 10 additions and 0 deletions
--- a/src/sandbox/tests/proxySandbox.test.ts
+++ b/src/sandbox/tests/proxySandbox.test.ts
@ -71,6 +71,11 @@ test('window.self & window.window & window.top & window.parent should equals wit
  expect(proxy.parent).toBe(proxy);
 });

+test('globalThis should equals with sandbox', () => {
+  const { proxy } = new ProxySandbox('globalThis');
+  expect(proxy.globalThis).toBe(proxy);
+});
+
 test('allow window.top & window.parent to escape sandbox while in iframe', () => {
  // change window.parent to cheat ProxySandbox is in iframe
  Object.defineProperty(window, 'parent', { value: 'parent' });
--- a/src/sandbox/proxySandbox.ts
+++ b/src/sandbox/proxySandbox.ts
@ -223,6 +223,11 @@ export default class ProxySandbox implements SandBox {
          return proxy;
        }

+        // hijack global accessing with globalThis keyword
+        if (p === 'globalThis') {
+          return proxy;
+        }
+
        if (
          p === 'top' ||
          p === 'parent' ||