cypress
cypress copied to clipboard
cypress-io
Cypress replaces usages of variables called "parent" with "self"
Current behavior
Whenever a variable called "parent" is used in the same line as a variable named "window", Cypress silently replaces "parent" with "self".
We found a relevant PR that may have introduced this code (https://github.com/cypress-io/cypress/pull/1295) for security reasons, but it misses a pretty trivial case like eval("parent"), as demonstrated in the reproduction. As long as the string version of "parent" is left as-is, any attacker can get the value of parent.
Desired behavior
There should at least be documentation for this, or this behavior should be opt-in. This is very tricky to even debug when you have source maps enabled which shows "self" as "parent".
Test code to reproduce
https://github.com/umanghome/cypress-parent-self-issue
You can see the code that runs on the page here: https://codesandbox.io/s/cypress-parent-self-issue-qjee0g?file=/script.js
Source code
What the browser sees while running Cypress
See line 8, where Cypress replaced parent with self. But it did not on line 13.
Cypress Version
12.0.2
Node version
v16.13.2
Operating System
macOS 12.3
Debug Logs
No response
Other
No response
Replacing parent with self is used to prevent frame-busting, since Cypress runs your application in an iframe. Without it, any sites that have frame-busting can't run in Cypress since they tend to take over the entirety of the browser. It's documented here and configurable with the modifyObstructiveCode option.
Looks like replacing eval('parent') isn't one we've encountered or taken into consideration, so I'll route this to my team to look into that.
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.
