guawazi/qiankun-fit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hijack accessing window object with globalThis keyword (#1246)

Browse Source
This commit is contained in:
Kuitos 2021-02-01 14:41:08 +08:00 committed by GitHub
parent 5c3d278648
commit 92bddae77c
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/sandbox/__tests__/proxySandbox.test.ts
View File

@ -71,6 +71,11 @@ test('window.self & window.window & window.top & window.parent should equals wit
expect(proxy.parent).toBe(proxy); expect(proxy.parent).toBe(proxy);
}); });
test('globalThis should equals with sandbox', () => {
const { proxy } = new ProxySandbox('globalThis');
expect(proxy.globalThis).toBe(proxy);
});
test('allow window.top & window.parent to escape sandbox while in iframe', () => { test('allow window.top & window.parent to escape sandbox while in iframe', () => {
// change window.parent to cheat ProxySandbox is in iframe // change window.parent to cheat ProxySandbox is in iframe
Object.defineProperty(window, 'parent', { value: 'parent' }); Object.defineProperty(window, 'parent', { value: 'parent' });

5
src/sandbox/proxySandbox.ts
View File

@ -223,6 +223,11 @@ export default class ProxySandbox implements SandBox {
return proxy; return proxy;
} }
// hijack global accessing with globalThis keyword
if (p === 'globalThis') {
return proxy;
}
if ( if (
p === 'top' || p === 'top' ||
p === 'parent' || p === 'parent' ||