Microsoft/vscode
1
0
Fork 0
mirror of https://github.com/microsoft/vscode.git synced 2026-04-27 12:04:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

No need for trusted types in extHost worker and worker extension loading, https://github.com/microsoft/vscode/issues/138588

Browse Source
This commit is contained in:
Johannes Rieken
2021-12-07 15:14:34 +01:00
parent 95dcb89a92
commit d1ae860377
4 changed files with 5 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/vs/workbench/api/worker/extHostExtensionService.ts
View File

@@ -14,34 +14,6 @@ import { timeout } from 'vs/base/common/async';
import { MainContext, MainThreadConsoleShape } from 'vs/workbench/api/common/extHost.protocol';
import { FileAccess } from 'vs/base/common/network';
namespace TrustedFunction {
// workaround a chrome issue not allowing to create new functions
// see https://github.com/w3c/webappsec-trusted-types/wiki/Trusted-Types-for-function-constructor
const ttpTrustedFunction = self.trustedTypes?.createPolicy('TrustedFunctionWorkaround', {
createScript: (_, ...args: string[]) => {
args.forEach((arg) => {
if (!self.trustedTypes?.isScript(arg)) {
throw new Error('TrustedScripts only, please');
}
});
// NOTE: This is insecure without parsing the arguments and body,
// Malicious inputs can escape the function body and execute immediately!
const fnArgs = args.slice(0, -1).join(',');
const fnBody = args.pop()!.toString();
const body = `(function anonymous(${fnArgs}) {${fnBody}\n})`;
return body;
}
});
export function create(...args: string[]): Function {
if (!ttpTrustedFunction) {
return new Function(...args);
}
return self.eval(ttpTrustedFunction.createScript('', ...args) as unknown as string);
}
}
class WorkerRequireInterceptor extends RequireInterceptor {
_installInterceptor() { }
@@ -65,8 +37,6 @@ class WorkerRequireInterceptor extends RequireInterceptor {
export class ExtHostExtensionService extends AbstractExtHostExtensionService {
readonly extensionRuntime = ExtensionRuntime.Webworker;
private static _ttpExtensionScripts = self.trustedTypes?.createPolicy('ExtensionScripts', { createScript: source => source });
private _fakeModules?: WorkerRequireInterceptor;
protected async _beforeAlmostReadyToRunExtensions(): Promise<void> {
@@ -109,12 +79,7 @@ export class ExtHostExtensionService extends AbstractExtHostExtensionService {
const fullSource = `${source}\n//# sourceURL=${sourceURL}`;
let initFn: Function;
try {
initFn = TrustedFunction.create(
ExtHostExtensionService._ttpExtensionScripts?.createScript('module') as unknown as string ?? 'module',
ExtHostExtensionService._ttpExtensionScripts?.createScript('exports') as unknown as string ?? 'exports',
ExtHostExtensionService._ttpExtensionScripts?.createScript('require') as unknown as string ?? 'require',
ExtHostExtensionService._ttpExtensionScripts?.createScript(fullSource) as unknown as string ?? fullSource
);
initFn = new Function('module', 'exports', 'require', fullSource);
} catch (err) {
if (extensionId) {
console.error(`Loading code for extension ${extensionId.value} failed: ${err.message}`);