From: surya.kumar7 <surya.kumar7@samsung.com>
Date: Tue, 26 Nov 2019 16:22:09 +0000 (+0530)
Subject: Restrict 'require' access on wrt & wrt related modules to web apps
X-Git-Tag: submit/tizen_5.5/20200625.010053~2^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=973e43c1476a3a2aca678a11a792fa42a7aa9af4;p=platform%2Fframework%2Fweb%2Fwrtjs.git

Restrict 'require' access on wrt & wrt related modules to web apps

'wrt' module is supposed to be used only by the framework & access
to it should be prevented for web apps & add-ons

Change-Id: Ic5e6a879df996960b7dbfab0c0115bfa5a1d9118
Signed-off-by: surya.kumar7 <surya.kumar7@samsung.com>
---

diff --git a/wrt_app/common/config-search-paths.js b/wrt_app/common/config-search-paths.js
index 8f6f7391..1cb734b5 100644
--- a/wrt_app/common/config-search-paths.js
+++ b/wrt_app/common/config-search-paths.js
@@ -2,10 +2,41 @@
 
 const Module = require('module');
 const originalResolveFilename = Module._resolveFilename;
-const ADDONS_PATH = require('path').join(__dirname, '..', 'addon', process.type, 'addonapi.js');
+const path = require('path');
+const ADDONS_PATH = path.join(__dirname, '..', 'addon', process.type, 'addonapi.js');
+const restrictedDir = '/usr/share/wrt/app';
+const restrictedModules = [ 'wrt' ];
+const keyRequireTerm = 'at require';
+const keyAppsTerm = 'globalapps';
+
+function isRequiredByApps() {
+    let stack = new Error().stack;
+    stack = stack.split('\n');
+    for (let i = 0, line; i < stack.length; ++i) {
+        line = stack[i].trim();
+        if (line.startsWith(keyRequireTerm))
+            return (stack[i + 1].indexOf(keyAppsTerm) !== -1);
+    }
+}
+
+function isRequestRestricted(request) {
+    if (!isRequiredByApps())
+        return false;
+    // Check direct module request => 'wrt'
+    if (restrictedModules.indexOf(request) !== -1)
+        return true;
+    // Check absolute path request => '/usr/share/wrt/...'
+    let resolved = path.resolve(request);
+    if (resolved.startsWith(restrictedDir))
+        return true;
+    return false;
+}
 
 Module._resolveFilename = function (request, parent, isMain) {
-    if (request === 'addonapi') {
+    if (isRequestRestricted(request)) {
+        console.error('Access has been restricted');
+        return undefined;
+    } else if (request === 'addonapi') {
         return ADDONS_PATH;
     } else {
         return originalResolveFilename(request, parent, isMain);