[fix] globalremover

2023-11-09 20:36:40 +09:00
parent d248c53192
commit 984475ff56
1 changed files with 103 additions and 2 deletions
--- a/src/ts/plugins/embedworker.ts
+++ b/src/ts/plugins/embedworker.ts
@@ -89,8 +89,9 @@ Object.getOwnPropertyNames( globaly ).forEach( function( prop ) {
                    return 1;
                }, 
                configurable : false
-            });     
+            });
        } catch (error) {
+
        }  
    }
 });
@@ -100,6 +101,106 @@ let workerResults:{
    result: any
 }[] = []

+const globalRemover = `
+let globaly = globalThis
+
+const whitelist = [
+    "Array",
+    "ArrayBuffer",
+    "BigInt",
+    "BigInt64Array",
+    "BigUint64Array",
+    "Boolean",
+    "DataView",
+    "Date",
+    "Error",
+    "EvalError",
+    "Float32Array",
+    "Float64Array",
+    "Function",
+    "Infinity",
+    "Int16Array",
+    "Int32Array",
+    "Int8Array",
+    "JSON",
+    "Map",
+    "Math",
+    "NaN",
+    "Number",
+    "Object",
+    "Promise",
+    "Proxy",
+    "RangeError",
+    "ReferenceError",
+    "Reflect",
+    "RegExp",
+    "Set",
+    "SharedArrayBuffer",
+    "String",
+    "Symbol",
+    "SyntaxError",
+    "TypeError",
+    "URIError",
+    "Uint16Array",
+    "Uint32Array",
+    "Uint8Array",
+    "Uint8ClampedArray",
+    "WeakMap",
+    "WeakSet",
+    "WebAssembly",
+    "console",
+    "decodeURI",
+    "decodeURIComponent",
+    "encodeURI",
+    "encodeURIComponent",
+    "escape",
+    "globalThis",
+    "isFinite",
+    "isNaN",
+    "null",
+    "parseFloat",
+    "parseInt",
+    "undefined",
+    "unescape",
+    "queueMicrotask",
+    "setTimeout",
+    "clearTimeout",
+    "setInterval",
+    "clearInterval",
+    "setImmediate",
+    "clearImmediate",
+    "atob",
+    "btoa",
+    "Headers",
+    "Request",
+    "Response",
+    "Blob",
+    "postMessage",
+    "Node",
+    "Element",
+    "Text",
+    "Comment",
+]
+
+const evaluation = globaly.eval
+
+Object.getOwnPropertyNames( globaly ).forEach( function( prop ) {
+    if( (!whitelist.includes(prop)) && (!prop.startsWith('HTML')) && (!prop.startsWith('XML')) ) {
+        try {
+            Object.defineProperty( globaly, prop, {
+                get : function() {
+                    throw "Security Exception: cannot access "+prop;
+                    return 1;
+                }, 
+                configurable : false
+            });
+        } catch (error) {
+
+        }  
+    }
+});
+
+`

 self.onmessage = async (event) => {
    const da = event.data
@@ -134,7 +235,7 @@ self.onmessage = async (event) => {
        return
    }
    try{
-        const d = await evaluation(da.code)
+        const d = await evaluation(globalRemover+da.code)
        self.postMessage({
            id: da.id,
            result: d