Fix security issues without breaking local loading (#4958)

Chaitu7032 · web-flow · commit 8db062abcc7a · 2025-12-31T11:47:01.000-05:00
* Fix security issues without breaking local loading

* deleted overides

* resolved eslint error

* fixed prettier issue
diff --git a/electron-main.js b/electron-main.js
@@ -10,7 +10,10 @@ function createWindow() {
         title: "Music Blocks",
         webPreferences: {
             nodeIntegration: false,
-            contextIsolation: true
+            contextIsolation: true,
+            sandbox: true,
+            webSecurity: true,
+            enableRemoteModule: false
         }
     });
 
diff --git a/js/activity.js b/js/activity.js
@@ -7098,7 +7098,10 @@ class Activity {
             // Load any plugins saved in local storage.
             this.pluginData = this.storage.plugins;
             if (this.pluginData !== null && this.pluginData !== "null") {
-                updatePluginObj(this, processPluginData(this, this.pluginData));
+                updatePluginObj(
+                    this,
+                    processPluginData(this, this.pluginData, "localStorage:plugins")
+                );
             }
 
             // Load custom mode saved in local storage.
@@ -7399,6 +7402,7 @@ class Activity {
 
                     // Read file here.
                     const reader = new FileReader();
+                    const pluginFile = that.pluginChooser.files[0];
 
                     // eslint-disable-next-line no-unused-vars
                     reader.onload = theFile => {
@@ -7407,7 +7411,11 @@ class Activity {
                         //doLoadAnimation();
 
                         setTimeout(() => {
-                            const obj = processRawPluginData(that, reader.result);
+                            const obj = processRawPluginData(
+                                that,
+                                reader.result,
+                                pluginFile && pluginFile.name ? pluginFile.name : "local-file"
+                            );
                             // Save plugins to local storage.
                             if (obj !== null) {
                                 that.storage.plugins = preparePluginExports(that, obj);
@@ -7425,7 +7433,7 @@ class Activity {
                         }, 200);
                     };
 
-                    reader.readAsText(that.pluginChooser.files[0]);
+                    reader.readAsText(pluginFile);
                 },
                 false
             );
diff --git a/js/utils/utils.js b/js/utils/utils.js
@@ -575,11 +575,49 @@ let toTitleCase = str => {
  * @param {string} pluginData - The JSON-encoded plugin data.
  * @returns {object|null} The processed plugin data object or null if parsing fails.
  */
-const processPluginData = (activity, pluginData) => {
+const processPluginData = (activity, pluginData, pluginSource) => {
     // Plugins are JSON-encoded dictionaries.
     if (pluginData === undefined) {
         return null;
     }
+
+    const isTrustedPluginSource = src => {
+        if (!src) return false;
+
+        // allow only local paths
+        return (
+            src.startsWith("./") ||
+            src.startsWith("../") ||
+            src.startsWith("/") ||
+            (!src.includes("http://") && !src.includes("https://"))
+        );
+    };
+
+    const safeEval = (code, label = "plugin") => {
+        if (typeof code !== "string") return;
+
+        // basic sanity limit (prevents huge payloads)
+        if (code.length > 500000) {
+            // eslint-disable-next-line no-console
+            console.warn("Plugin code too large:", label);
+            return;
+        }
+
+        try {
+            // eslint-disable-next-line no-eval
+            eval(code);
+        } catch (e) {
+            // eslint-disable-next-line no-console
+            console.error("Plugin execution failed:", label, e);
+        }
+    };
+
+    if (!isTrustedPluginSource(pluginSource)) {
+        // eslint-disable-next-line no-console
+        console.warn("Blocked untrusted plugin source:", pluginSource);
+        return null;
+    }
+
     let obj;
     try {
         obj = JSON.parse(pluginData);
@@ -719,18 +757,13 @@ const processPluginData = (activity, pluginData) => {
         for (const block in obj["BLOCKPLUGINS"]) {
             // eslint-disable-next-line no-console
             console.debug("adding plugin block " + block);
-            try {
-                eval(obj["BLOCKPLUGINS"][block]);
-            } catch (e) {
-                // eslint-disable-next-line no-console
-                console.debug("Failed to load plugin for " + block + ": " + e);
-            }
+            safeEval(obj["BLOCKPLUGINS"][block], "BLOCKPLUGINS:" + block);
         }
     }
 
     // Create the globals.
     if ("GLOBALS" in obj) {
-        eval(obj["GLOBALS"]);
+        safeEval(obj["GLOBALS"], "GLOBALS");
     }
 
     if ("PARAMETERPLUGINS" in obj) {
@@ -742,7 +775,7 @@ const processPluginData = (activity, pluginData) => {
     // Code to execute when plugin is loaded
     if ("ONLOAD" in obj) {
         for (const arg in obj["ONLOAD"]) {
-            eval(obj["ONLOAD"][arg]);
+            safeEval(obj["ONLOAD"][arg], "ONLOAD:" + arg);
         }
     }
 
@@ -799,7 +832,7 @@ const processPluginData = (activity, pluginData) => {
  * @param {string} rawData - Raw plugin data to process.
  * @returns {object|null} The processed plugin data object or null if parsing fails.
  */
-const processRawPluginData = (activity, rawData) => {
+const processRawPluginData = (activity, rawData, pluginSource) => {
     const lineData = rawData.split("\n");
     let cleanData = "";
 
@@ -821,7 +854,7 @@ const processRawPluginData = (activity, rawData) => {
     // try/catch while debugging your plugin.
     let obj;
     try {
-        obj = processPluginData(activity, cleanData.replace(/\n/g, ""));
+        obj = processPluginData(activity, cleanData.replace(/\n/g, ""), pluginSource);
     } catch (e) {
         obj = null;
         // eslint-disable-next-line no-console
diff --git a/planet/js/ProjectViewer.js b/planet/js/ProjectViewer.js
@@ -21,14 +21,15 @@
 */
 
 class ProjectViewer {
-    
     constructor(Planet) {
-        this.Planet = Planet ;
+        this.Planet = Planet;
         this.ProjectCache = Planet.GlobalPlanet.cache;
         this.PlaceholderMBImage = "images/mbgraphic.png";
         this.PlaceholderTBImage = "images/tbgraphic.png";
         this.ReportError = _("Error: Report could not be submitted. Try again later.");
-        this.ReportSuccess = _("Thank you for reporting this project. A moderator will review the project shortly, to verify violation of the Sugar Labs Code of Conduct.");
+        this.ReportSuccess = _(
+            "Thank you for reporting this project. A moderator will review the project shortly, to verify violation of the Sugar Labs Code of Conduct."
+        );
         this.ReportEnabledButton = _("Report Project");
         this.ReportDisabledButton = _("Project Reported");
         this.ReportDescriptionError = _("Report description required");
@@ -37,25 +38,45 @@ class ProjectViewer {
     }
 
     open(id) {
-        const Planet = this.Planet ;
+        const Planet = this.Planet;
         this.id = id;
         const proj = this.ProjectCache[id];
-        const options = { year: "numeric", month: "short", day: "numeric", hour: "numeric", minute: "numeric" };
+
+        const setBoldText = (el, text) => {
+            el.textContent = "";
+            const b = document.createElement("b");
+            b.textContent = String(text);
+            el.appendChild(b);
+        };
+
+        const options = {
+            year: "numeric",
+            month: "short",
+            day: "numeric",
+            hour: "numeric",
+            minute: "numeric"
+        };
         const last_updated_timestamp = proj.ProjectLastUpdated;
-        const formatted_LastUpdated = new Date(last_updated_timestamp).toLocaleString(undefined, options);
+        const formatted_LastUpdated = new Date(last_updated_timestamp).toLocaleString(
+            undefined,
+            options
+        );
         const created_timestamp = proj.ProjectCreatedDate;
-        const formatted_CreatedDate = new Date(created_timestamp).toLocaleString(undefined, options);
+        const formatted_CreatedDate = new Date(created_timestamp).toLocaleString(
+            undefined,
+            options
+        );
 
         document.getElementById("projectviewer-title").textContent = proj.ProjectName;
-        document.getElementById("projectviewer-last-updated").innerHTML = `<b>${formatted_LastUpdated}</b>`;
-        document.getElementById("projectviewer-date").innerHTML =`<b>${formatted_CreatedDate}</b>`;
-        document.getElementById("projectviewer-downloads").innerHTML = `<b>${proj.ProjectDownloads}</b>`;
-        document.getElementById("projectviewer-likes").innerHTML = `<b>${proj.ProjectLikes}</b>`;
+        setBoldText(document.getElementById("projectviewer-last-updated"), formatted_LastUpdated);
+        setBoldText(document.getElementById("projectviewer-date"), formatted_CreatedDate);
+        setBoldText(document.getElementById("projectviewer-downloads"), proj.ProjectDownloads);
+        setBoldText(document.getElementById("projectviewer-likes"), proj.ProjectLikes);
 
         let img = proj.ProjectImage;
         if (img === "" || img === null)
-            img = (proj.ProjectIsMusicBlocks==1) ?
-                this.PlaceholderMBImage : this.PlaceholderTBImage ;
+            img =
+                proj.ProjectIsMusicBlocks == 1 ? this.PlaceholderMBImage : this.PlaceholderTBImage;
 
         document.getElementById("projectviewer-image").src = img;
         document.getElementById("projectviewer-description").textContent = proj.ProjectDescription;
@@ -68,29 +89,28 @@ class ProjectViewer {
             tagcontainer.appendChild(chip);
         }
 
-        if (Planet.ProjectStorage.isReported(this.id)){
+        if (Planet.ProjectStorage.isReported(this.id)) {
             document.getElementById("projectviewer-report-project").style.display = "none";
-            document.getElementById("projectviewer-report-project-disabled").style.display = "block";
-        }
-        else {
+            document.getElementById("projectviewer-report-project-disabled").style.display =
+                "block";
+        } else {
             document.getElementById("projectviewer-report-project").style.display = "block";
             document.getElementById("projectviewer-report-project-disabled").style.display = "none";
         }
 
         jQuery("#projectviewer").modal("open");
-    };
+    }
 
     download() {
-        this.Planet.GlobalPlanet.getData(this.id,this.afterDownload.bind(this));
-    };
+        this.Planet.GlobalPlanet.getData(this.id, this.afterDownload.bind(this));
+    }
 
-    afterDownload (data) {
-        const Planet = this.Planet ;
+    afterDownload(data) {
+        const Planet = this.Planet;
 
         const proj = this.ProjectCache[this.id];
         let image = Planet.ProjectStorage.ImageDataURL;
-        if (proj.ProjectImage !== "")
-            image = proj.ProjectImage;
+        if (proj.ProjectImage !== "") image = proj.ProjectImage;
 
         Planet.SaveInterface.saveHTML(
             proj.ProjectName,
@@ -99,19 +119,19 @@ class ProjectViewer {
             proj.ProjectDescription,
             this.id
         );
-    };
+    }
 
     openProject() {
         // newPageTitle = proj.ProjectName;
         // document.title = newPageTitle;
         this.Planet.GlobalPlanet.openGlobalProject(this.id);
-    };
+    }
 
     mergeProject() {
         // newPageTitle = proj.ProjectName;
         // document.title = newPageTitle;
         this.Planet.GlobalPlanet.mergeGlobalProject(this.id);
-    };
+    }
 
     openReporter() {
         // eslint-disable-next-line no-console
@@ -121,55 +141,54 @@ class ProjectViewer {
         document.getElementById("projectviewer-report-progress").style.visibility = "hidden";
         document.getElementById("report-error").style.display = "none";
         document.getElementById("projectviewer-report-card").style.display = "block";
-        
+
         hideOnClickOutside(
             [
                 document.getElementById("projectviewer-report-card"),
                 document.getElementById("projectviewer-report-project")
             ],
             "projectviewer-report-card"
         );
-    };
+    }
 
     submitReporter() {
         const text = document.getElementById("reportdescription").value;
 
-        if (text === ""){
+        if (text === "") {
             document.getElementById("report-error").textContent = this.ReportDescriptionError;
             document.getElementById("report-error").style.display = "block";
             return;
-        }
-        else if (text.length > 1000){
-            document.getElementById("report-error").textContent = this.ReportDescriptionTooLongError;
+        } else if (text.length > 1000) {
+            document.getElementById(
+                "report-error"
+            ).textContent = this.ReportDescriptionTooLongError;
             document.getElementById("report-error").style.display = "block";
             return;
-        }
-        else {
+        } else {
             document.getElementById("projectviewer-report-progress").style.visibility = "hidden";
             this.Planet.ServerInterface.reportProject(this.id, text, this.afterReport.bind(this));
         }
-    };
+    }
 
     afterReport(data) {
         if (data.success) {
             document.getElementById("submittext").textContent = this.ReportSuccess;
-            this.Planet.ProjectStorage.report(this.id,true);
+            this.Planet.ProjectStorage.report(this.id, true);
             document.getElementById("projectviewer-report-project").style.display = "none";
-            document.getElementById("projectviewer-report-project-disabled").style.display = "block";
-        }
-        else document.getElementById("submittext").textContent = this.ReportError;
+            document.getElementById("projectviewer-report-project-disabled").style.display =
+                "block";
+        } else document.getElementById("submittext").textContent = this.ReportError;
 
         document.getElementById("projectviewer-report-content").style.display = "none";
         document.getElementById("projectviewer-report-progress").style.visibility = "hidden";
         document.getElementById("projectviewer-reportsubmit-content").style.display = "block";
-    };
+    }
 
     closeReporter() {
         document.getElementById("projectviewer-report-card").style.display = "none";
-    };
+    }
 
     init() {
-
         // eslint-disable-next-line no-unused-vars
         document.getElementById("projectviewer-download-file").addEventListener("click", evt => {
             this.download();
@@ -199,6 +218,5 @@ class ProjectViewer {
         document.getElementById("projectviewer-report-close").addEventListener("click", evt => {
             this.closeReporter();
         });
-    };
-
-}
+    }
+}
