mincomk/risuai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[fix] worker safety

Browse Source
This commit is contained in:
kwaroran
2023-11-09 20:51:04 +09:00
parent 984475ff56
commit dfa0f1f121
1 changed files with 31 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
src/ts/plugins/embedworker.ts
View File

@@ -43,7 +43,6 @@ const whitelist = [
"Uint8ClampedArray", "Uint8ClampedArray",
"WeakMap", "WeakMap",
"WeakSet", "WeakSet",
"WebAssembly",
"console", "console",
"decodeURI", "decodeURI",
"decodeURIComponent", "decodeURIComponent",
@@ -80,20 +79,46 @@ const whitelist = [
const evaluation = globaly.eval const evaluation = globaly.eval
Object.getOwnPropertyNames( globaly ).forEach( function( prop ) { const prop = Object.getOwnPropertyNames( globaly )
if( (!whitelist.includes(prop)) && (!prop.startsWith('HTML')) && (!prop.startsWith('XML')) ) { prop.push(
//unsafe apis
'open',
'close',
'alert',
'confirm',
'prompt',
'print',
'fetch',
'navigator',
'Worker',
'WebSocket',
'XMLHttpRequest',
'localStorage',
'sessionStorage',
'importScripts',
'indexedDB',
'crypto',
'WebAssembly',
'WebSqlDatabase',
)
prop.forEach( function( prop ) {
if( (!whitelist.includes(prop)) && (!prop.startsWith('HTML')) ) {
try { try {
console.log(prop)
Object.defineProperty( globaly, prop, { Object.defineProperty( globaly, prop, {
get : function() { get : function() {
throw "Security Exception: cannot access "+prop; throw "Security Exception: cannot access "+prop;
return 1; return 1;
}, },
configurable : false configurable : false
}); });
} catch (error) { } catch (error) {
} }
} }
else{
console.log(`allow ${prop}`)
}
}); });
let workerResults:{ let workerResults:{
@@ -101,106 +126,6 @@ let workerResults:{
result: any result: any
}[] = [] }[] = []
const globalRemover = `
let globaly = globalThis
const whitelist = [
"Array",
"ArrayBuffer",
"BigInt",
"BigInt64Array",
"BigUint64Array",
"Boolean",
"DataView",
"Date",
"Error",
"EvalError",
"Float32Array",
"Float64Array",
"Function",
"Infinity",
"Int16Array",
"Int32Array",
"Int8Array",
"JSON",
"Map",
"Math",
"NaN",
"Number",
"Object",
"Promise",
"Proxy",
"RangeError",
"ReferenceError",
"Reflect",
"RegExp",
"Set",
"SharedArrayBuffer",
"String",
"Symbol",
"SyntaxError",
"TypeError",
"URIError",
"Uint16Array",
"Uint32Array",
"Uint8Array",
"Uint8ClampedArray",
"WeakMap",
"WeakSet",
"WebAssembly",
"console",
"decodeURI",
"decodeURIComponent",
"encodeURI",
"encodeURIComponent",
"escape",
"globalThis",
"isFinite",
"isNaN",
"null",
"parseFloat",
"parseInt",
"undefined",
"unescape",
"queueMicrotask",
"setTimeout",
"clearTimeout",
"setInterval",
"clearInterval",
"setImmediate",
"clearImmediate",
"atob",
"btoa",
"Headers",
"Request",
"Response",
"Blob",
"postMessage",
"Node",
"Element",
"Text",
"Comment",
]
const evaluation = globaly.eval
Object.getOwnPropertyNames( globaly ).forEach( function( prop ) {
if( (!whitelist.includes(prop)) && (!prop.startsWith('HTML')) && (!prop.startsWith('XML')) ) {
try {
Object.defineProperty( globaly, prop, {
get : function() {
throw "Security Exception: cannot access "+prop;
return 1;
},
configurable : false
});
} catch (error) {
}
}
});
`
self.onmessage = async (event) => { self.onmessage = async (event) => {
const da = event.data const da = event.data
@@ -235,7 +160,7 @@ self.onmessage = async (event) => {
return return
} }
try{ try{
const d = await evaluation(globalRemover+da.code) const d = await evaluation(da.code)
self.postMessage({ self.postMessage({
id: da.id, id: da.id,
result: d result: d