CODEWITHSUNDEEP
javascriptnode.jsclasssecurityelectron
Ian Wise
Ian Wise

Reputation: 766

Electron, how to access node API without nodeIntegration

I load external content into my electron app, which has the potential to be insecure. I want to expose an API to this unloaded content, in the form of a class. This API class should have access to nodeIntegration privileges, however I do NOT want the untrusted external content to have such privileges. The untrusted code is loaded into a webview, and the API class is loaded in the webview via preload. The script loads and the class is created, it can perform all the functions I want it to without issue. Here is the problem though, after the script finishes loading the class that I want to remain in the global scope is destroyed. The only way for this untrusted code to access my API is if this class remains in the global scope. Is it possible to instantiate a class in the preloaded script that has access to nodeIntegration, and have that class be accessible by non-preloaded script files?

Example:

Preloaded script:

var API = function() {
    const fs = remote.require('fs');

    API.createFile = function(){
        /*... do stuff with fs here ...*/
    }
}

Non-Preloaded Script (Untrusted code)

var instanceOfAPI = new API();

instanceOfAPI.createFile(); //should work
fs.writeFile(); //should NOT work

Upvotes: 1

Views: 3677

Answers (1)

Ian Wise
Ian Wise

Reputation: 766

Put the API in the window variable under the preload script. Example:

var API = function() {
    const fs = remote.require('fs');

    API.createFile = function(){
        /*... do stuff with fs here ...*/
    }
}

window.api = new API();

The following now works in the scripts that do not have access to nodeIntegration

window.api.createFile() //works
fs.writeFile() //does not

Upvotes: 2

Related Questions