e9e0001ef8
Enable `contextIsolation` in Electron to securely expose a limited set of Node.js APIs to the renderer process. It: 1. Isolates renderer and main process contexts. It ensures that the powerful main process functions aren't directly accessible from renderer process(es), adding a security boundary. 2. Mitigates remote exploitation risks. By isolating contexts, potential malicious code injections in the renderer can't directly reach and compromise the main process. 3. Reduces attack surface. 4. Protect against prototype pollution: It prevents tampering of JavaScript object prototypes in one context from affecting another context, improving app reliability and security. Supporting changes include: - Extract environment and system operations classes to the infrastructure layer. This removes node dependencies from core domain and application code. - Introduce `ISystemOperations` to encapsulate OS interactions. Use it from `CodeRunner` to isolate node API usage. - Add a preloader script to inject validated environment variables into renderer context. This keeps Electron integration details encapsulated. - Add new sanity check to fail fast on issues with preloader injected variables. - Improve test coverage of runtime sanity checks and environment components. Move validation logic into separate classes for Single Responsibility. - Improve absent value test case generation.
68 lines
2.1 KiB
YAML
68 lines
2.1 KiB
YAML
name: checks.desktop-runtime-errors
|
|
# Verifies desktop builds for Electron applications across multiple OS platforms (macOS ,Ubuntu, and Windows).
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
|
|
jobs:
|
|
build-desktop:
|
|
strategy:
|
|
matrix:
|
|
os: [ macos, ubuntu, windows ]
|
|
fail-fast: false # Allows to see results from other combinations
|
|
runs-on: ${{ matrix.os }}-latest
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v2
|
|
-
|
|
name: Setup node
|
|
uses: ./.github/actions/setup-node
|
|
-
|
|
name: Configure Ubuntu
|
|
if: matrix.os == 'ubuntu'
|
|
shell: bash
|
|
run: |-
|
|
sudo apt update
|
|
|
|
# Configure AppImage dependencies
|
|
sudo apt install -y libfuse2
|
|
|
|
# Configure DBUS (fixes `Failed to connect to the bus: Could not parse server address: Unknown address type`)
|
|
if ! command -v 'dbus-launch' &> /dev/null; then
|
|
echo 'DBUS does not exist, installing...'
|
|
sudo apt install -y dbus-x11 # Gives both dbus and dbus-launch utility
|
|
fi
|
|
sudo systemctl start dbus
|
|
DBUS_LAUNCH_OUTPUT=$(dbus-launch)
|
|
if [ $? -eq 0 ]; then
|
|
echo "${DBUS_LAUNCH_OUTPUT}" >> $GITHUB_ENV
|
|
else
|
|
echo 'Error: dbus-launch command did not execute successfully. Exiting.' >&2
|
|
echo "${DBUS_LAUNCH_OUTPUT}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Configure fake (virtual) display
|
|
sudo apt install -y xvfb
|
|
sudo Xvfb :99 -screen 0 1024x768x24 > /dev/null 2>&1 &
|
|
echo "DISPLAY=:99" >> $GITHUB_ENV
|
|
|
|
# Install ImageMagick for screenshots
|
|
sudo apt install -y imagemagick
|
|
|
|
# Install xdotool and xprop (from x11-utils) for window title capturing
|
|
sudo apt install -y xdotool x11-utils
|
|
-
|
|
name: Test
|
|
shell: bash
|
|
run: node ./scripts/check-desktop-runtime-errors --screenshot
|
|
-
|
|
name: Upload screenshot
|
|
if: always() # Run even if previous step fails
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: screenshot-${{ matrix.os }}
|
|
path: screenshot.png
|