Skip to content

Commit

Permalink
✨ hijack accessing window object with globalThis keyword (#1246)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kuitos
kuitos authored Feb 1, 2021
1 parent 007f7c5 commit 14aedc3
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/sandbox/__tests__/proxySandbox.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,11 @@ test('window.self & window.window & window.top & window.parent should equals wit
expect(proxy.parent).toBe(proxy);
});

test('globalThis should equals with sandbox', () => {
const { proxy } = new ProxySandbox('globalThis');
expect(proxy.globalThis).toBe(proxy);
});

test('allow window.top & window.parent to escape sandbox while in iframe', () => {
// change window.parent to cheat ProxySandbox is in iframe
Object.defineProperty(window, 'parent', { value: 'parent' });
Expand Down
5 changes: 5 additions & 0 deletions src/sandbox/proxySandbox.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,11 @@ export default class ProxySandbox implements SandBox {
return proxy;
}

// hijack global accessing with globalThis keyword
if (p === 'globalThis') {
return proxy;
}

if (
p === 'top' ||
p === 'parent' ||
Expand Down

1 comment on commit 14aedc3

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deploy preview for qiankun ready!

✅ Preview
https://qiankun-b5ild5vfm.vercel.app

Built with commit 14aedc3.
This pull request is being automatically deployed with vercel-action

Please sign in to comment.