nightmare
nightmare copied to clipboard
segment-boneyard
Remove window.__nightmare access
I hope that the current response to #1234 (i.e.: adding a small note in the README) is not the end of the security story for Nightmare.
Electron does caution you to be careful, but it also offers sandboxing. It's documented here https://electronjs.org/docs/api/sandbox-option and a more in-depth tutorial on enabling this can be found here: https://github.com/kewde/electron-sandbox .
Correct me if I'm wrong here, but isn't the preload script the only thing that has access to the filesystem when you turn nodeIntegration: false?
Also knowing that the preload script is the first thing that loads, don't we just need to make sure that the preload script can't be modified in some way by the remote JS? By having fixed IPC events and handlers?
update, ahh this is a big problem though:
<html>
<head>
<title>HaxOr</title>
</head>
<body>
<script type="text/javascript">
console.log(window.__nightmare)
</script>
</body>
</html>
const Nightmare = require('nightmare')
const nightmare = Nightmare({ show: true })
nightmare.on('console', console.log)
nightmare
.goto('http://localhost:5000')
.catch(e => console.error(e))
.then(() => nightmare.end())
The remote script has access to the window.__nightmare, so I think they could use some of electron's private endpoints. We'll need to lock this down, either with a whitelist or removing window.__nightmare altogether 🔒
Removing access to window.__nightmare is a good idea, but my intention with this issue was to track adoption of the actual chrome sandbox. Could you make another issue for this separate security issue?