From 7c38ec70e1b3e4014e2e8b5a860baddb05113abe Mon Sep 17 00:00:00 2001 From: krassowski <5832902+krassowski@users.noreply.github.com> Date: Sun, 19 Dec 2021 23:42:36 +0000 Subject: [PATCH 1/7] Upgrade to Electron 15 --- package.json | 2 +- yarn.lock | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/package.json b/package.json index 38a957f5..5f685ad5 100644 --- a/package.json +++ b/package.json @@ -149,7 +149,7 @@ "@types/yargs": "^16.0.0", "@yarnpkg/lockfile": "~1.1.0", "css-loader": "~5.1.1", - "electron": "^14.0.0", + "electron": "^15.0.0", "electron-builder": "^22.11.11", "file-loader": "~6.2.0", "fs-extra": "~9.1.0", diff --git a/yarn.lock b/yarn.lock index ec107db2..47a90e33 100644 --- a/yarn.lock +++ b/yarn.lock @@ -88,7 +88,7 @@ resolved "https://registry.yarnpkg.com/@discoveryjs/json-ext/-/json-ext-0.5.6.tgz#d5e0706cf8c6acd8c6032f8d54070af261bbbb2f" integrity sha512-ws57AidsDvREKrZKYffXddNkyaF14iHNHm8VQnZH6t99E8gczjNN0GpvcGny0imC80yQ0tHz1xVUKk/KFQSUyA== -"@electron/get@^1.0.1": +"@electron/get@^1.13.0": version "1.13.1" resolved "https://registry.yarnpkg.com/@electron/get/-/get-1.13.1.tgz#42a0aa62fd1189638bd966e23effaebb16108368" integrity sha512-U5vkXDZ9DwXtkPqlB45tfYnnYBN8PePp1z/XDCupnSpdrxT8/ThCv9WCwPLf9oqiSGZTkH6dx2jDUPuoXpjkcA== @@ -3364,12 +3364,12 @@ electron-to-chromium@^1.4.17: resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.24.tgz#9cf8a92d5729c480ee47ff0aa5555f57467ae2fa" integrity sha512-erwx5r69B/WFfFuF2jcNN0817BfDBdC4765kQ6WltOMuwsimlQo3JTEq0Cle+wpHralwdeX3OfAtw/mHxPK0Wg== -electron@^14.0.0: - version "14.2.3" - resolved "https://registry.yarnpkg.com/electron/-/electron-14.2.3.tgz#3facf572c57cefe8ce80154ad3e63f937784644b" - integrity sha512-7wBqvzUKhK1tw544w3+F8J7NajnqURGC4pH3VFTiBHU5ayiI/oaTTXJxyFLZ54zsR7xwon/3dYEVjIm2i68+Zg== +electron@^15.0.0: + version "15.3.4" + resolved "https://registry.yarnpkg.com/electron/-/electron-15.3.4.tgz#811e8872f4500b88ad49e005cbe8f93e10676f6d" + integrity sha512-GLTE+UEKw1pJehkgpLgXtsHhYqSPp6skSNY1bxnY3dDYBrsPlP3nTEO9YQY2p4eHk+uxFVTXOVy5afcu9fIZ9A== dependencies: - "@electron/get" "^1.0.1" + "@electron/get" "^1.13.0" "@types/node" "^14.6.2" extract-zip "^1.0.3" From 3e03c1164b47316eea1b49210a970b003e57b4d4 Mon Sep 17 00:00:00 2001 From: Mehmet Bektas Date: Sat, 22 Jan 2022 23:21:46 -0800 Subject: [PATCH 2/7] allow navigation between same host URLs, allow whitespace in base64 PDF data --- src/browser/utils.ts | 8 ++++++++ src/main/main.ts | 7 +++++-- webpack.browser.js | 3 +++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/browser/utils.ts b/src/browser/utils.ts index 1932d157..48a58fba 100644 --- a/src/browser/utils.ts +++ b/src/browser/utils.ts @@ -35,3 +35,11 @@ namespace Browser { return 28 / webFrame.getZoomFactor(); } } + +// atob with support for whitespace in data +export +function atobWhiteSpace(data: string): string { + // remove whitespace + data = data.replace(/\s/g, ""); + return window.atob(data); +} diff --git a/src/main/main.ts b/src/main/main.ts index d80883c7..03c1e937 100644 --- a/src/main/main.ts +++ b/src/main/main.ts @@ -192,8 +192,11 @@ app.on('ready', () => { app.on("web-contents-created", (_event: any, webContents: WebContents) => { // Prevent navigation webContents.on('will-navigate', (event: Event, navigationUrl) => { - console.warn(`Navigation is not allowed; attempted navigation to: ${navigationUrl}`); - event.preventDefault(); + const jlabBaseUrl = `http://localhost:${appConfig.jlabPort}/`; + if (!navigationUrl.startsWith(jlabBaseUrl)) { + console.warn(`Navigation is not allowed; attempted navigation to: ${navigationUrl}`); + event.preventDefault(); + } }); // handle page's beforeunload prompt natively diff --git a/webpack.browser.js b/webpack.browser.js index 39693283..a854b461 100644 --- a/webpack.browser.js +++ b/webpack.browser.js @@ -164,6 +164,9 @@ module.exports = { }, name: 'CORE_FEDERATION', shared: createShared(data) + }), + new webpack.ProvidePlugin({ + 'atob': [path.resolve(path.join(__dirname, 'build/out/browser/utils.js')), 'atobWhiteSpace'] }) ], devtool: 'source-map' From 3c81f55ebe31b4e8b01c6f046ab0d7ebfb7f9eaf Mon Sep 17 00:00:00 2001 From: Mehmet Bektas Date: Sun, 30 Jan 2022 22:07:53 -0800 Subject: [PATCH 3/7] improved fix for electron 15 --- src/main/main.ts | 4 ++-- src/main/preload.ts | 37 +++++++++++++++++++++++++++++++++++++ src/main/sessions.ts | 3 ++- webpack.browser.js | 3 --- 4 files changed, 41 insertions(+), 6 deletions(-) create mode 100644 src/main/preload.ts diff --git a/src/main/main.ts b/src/main/main.ts index 03c1e937..fe73ec66 100644 --- a/src/main/main.ts +++ b/src/main/main.ts @@ -190,10 +190,10 @@ app.on('ready', () => { }); app.on("web-contents-created", (_event: any, webContents: WebContents) => { - // Prevent navigation + // Prevent navigation to local links webContents.on('will-navigate', (event: Event, navigationUrl) => { const jlabBaseUrl = `http://localhost:${appConfig.jlabPort}/`; - if (!navigationUrl.startsWith(jlabBaseUrl)) { + if (navigationUrl.startsWith(jlabBaseUrl) && navigationUrl.indexOf('#') !== -1) { console.warn(`Navigation is not allowed; attempted navigation to: ${navigationUrl}`); event.preventDefault(); } diff --git a/src/main/preload.ts b/src/main/preload.ts new file mode 100644 index 00000000..65e9abc1 --- /dev/null +++ b/src/main/preload.ts @@ -0,0 +1,37 @@ +// atob implementation below is modified from node.js source and copyright below is for that + +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +window.atob = (input): string => { + const kBase64Digits = + 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='; + + // remove whitespace + input = `${input}`.replace(/\s/g, ""); + for (let n = 0; n < input.length; n++) { + if (!kBase64Digits.includes(input[n])) { + throw new DOMException('Invalid character', 'InvalidCharacterError'); + } + } + + return Buffer.from(input, 'base64').toString('latin1'); +} diff --git a/src/main/sessions.ts b/src/main/sessions.ts index ffb7f91c..34dda6ab 100644 --- a/src/main/sessions.ts +++ b/src/main/sessions.ts @@ -403,7 +403,8 @@ class JupyterLabSession { title: 'JupyterLab', webPreferences: { nodeIntegration: true, - contextIsolation: false + contextIsolation: false, + preload: path.join(__dirname, './preload.js'), } }); diff --git a/webpack.browser.js b/webpack.browser.js index a854b461..39693283 100644 --- a/webpack.browser.js +++ b/webpack.browser.js @@ -164,9 +164,6 @@ module.exports = { }, name: 'CORE_FEDERATION', shared: createShared(data) - }), - new webpack.ProvidePlugin({ - 'atob': [path.resolve(path.join(__dirname, 'build/out/browser/utils.js')), 'atobWhiteSpace'] }) ], devtool: 'source-map' From c5755d01b3e95e2f6c5ff503f10de4a3489b661d Mon Sep 17 00:00:00 2001 From: Mehmet Bektas Date: Sun, 30 Jan 2022 22:09:24 -0800 Subject: [PATCH 4/7] remove unused method --- src/browser/utils.ts | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/browser/utils.ts b/src/browser/utils.ts index 48a58fba..1932d157 100644 --- a/src/browser/utils.ts +++ b/src/browser/utils.ts @@ -35,11 +35,3 @@ namespace Browser { return 28 / webFrame.getZoomFactor(); } } - -// atob with support for whitespace in data -export -function atobWhiteSpace(data: string): string { - // remove whitespace - data = data.replace(/\s/g, ""); - return window.atob(data); -} From a8346995005bc196a16251776d9c96ef29e7adbb Mon Sep 17 00:00:00 2001 From: Mehmet Bektas <40003442+mbektas@users.noreply.github.com> Date: Mon, 31 Jan 2022 06:49:29 -0800 Subject: [PATCH 5/7] add link to atob source --- src/main/preload.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main/preload.ts b/src/main/preload.ts index 65e9abc1..0a93d7f5 100644 --- a/src/main/preload.ts +++ b/src/main/preload.ts @@ -1,4 +1,6 @@ -// atob implementation below is modified from node.js source and copyright below is for that +// atob implementation below is modified from node.js source +// (https://github.com/nodejs/node/blob/master/lib/buffer.js) +// and copyright below is for it // Copyright Joyent, Inc. and other Node contributors. // From 69dc8dee46b5ecdc888ab9c94d3672c3e168ca4c Mon Sep 17 00:00:00 2001 From: krassowski <5832902+krassowski@users.noreply.github.com> Date: Tue, 8 Feb 2022 20:53:38 +0000 Subject: [PATCH 6/7] Disable `nativeWindowOpen` instead of overriding atob --- src/main/preload.ts | 39 --------------------------------------- src/main/sessions.ts | 3 ++- 2 files changed, 2 insertions(+), 40 deletions(-) delete mode 100644 src/main/preload.ts diff --git a/src/main/preload.ts b/src/main/preload.ts deleted file mode 100644 index 0a93d7f5..00000000 --- a/src/main/preload.ts +++ /dev/null @@ -1,39 +0,0 @@ -// atob implementation below is modified from node.js source -// (https://github.com/nodejs/node/blob/master/lib/buffer.js) -// and copyright below is for it - -// Copyright Joyent, Inc. and other Node contributors. -// -// Permission is hereby granted, free of charge, to any person obtaining a -// copy of this software and associated documentation files (the -// "Software"), to deal in the Software without restriction, including -// without limitation the rights to use, copy, modify, merge, publish, -// distribute, sublicense, and/or sell copies of the Software, and to permit -// persons to whom the Software is furnished to do so, subject to the -// following conditions: -// -// The above copyright notice and this permission notice shall be included -// in all copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN -// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, -// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR -// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE -// USE OR OTHER DEALINGS IN THE SOFTWARE. - -window.atob = (input): string => { - const kBase64Digits = - 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='; - - // remove whitespace - input = `${input}`.replace(/\s/g, ""); - for (let n = 0; n < input.length; n++) { - if (!kBase64Digits.includes(input[n])) { - throw new DOMException('Invalid character', 'InvalidCharacterError'); - } - } - - return Buffer.from(input, 'base64').toString('latin1'); -} diff --git a/src/main/sessions.ts b/src/main/sessions.ts index 34dda6ab..506e01d3 100644 --- a/src/main/sessions.ts +++ b/src/main/sessions.ts @@ -404,7 +404,8 @@ class JupyterLabSession { webPreferences: { nodeIntegration: true, contextIsolation: false, - preload: path.join(__dirname, './preload.js'), + // disable native window open to prevent exposing node.js scripts in popups + nativeWindowOpen: false } }); From ea6e8b78d804cafa5a580fdfac83931f7078824e Mon Sep 17 00:00:00 2001 From: Mehmet Bektas Date: Tue, 15 Feb 2022 19:56:27 -0800 Subject: [PATCH 7/7] prevent navigation to external links --- src/main/main.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/main.ts b/src/main/main.ts index fe73ec66..9821e68d 100644 --- a/src/main/main.ts +++ b/src/main/main.ts @@ -190,10 +190,10 @@ app.on('ready', () => { }); app.on("web-contents-created", (_event: any, webContents: WebContents) => { - // Prevent navigation to local links + // Prevent navigation to local links on the same page and external links webContents.on('will-navigate', (event: Event, navigationUrl) => { const jlabBaseUrl = `http://localhost:${appConfig.jlabPort}/`; - if (navigationUrl.startsWith(jlabBaseUrl) && navigationUrl.indexOf('#') !== -1) { + if (!(navigationUrl.startsWith(jlabBaseUrl) && navigationUrl.indexOf('#') === -1)) { console.warn(`Navigation is not allowed; attempted navigation to: ${navigationUrl}`); event.preventDefault(); }