fix: apply module search paths restriction on worker and child process (#41118)

2026-01-09 15:38:08 -05:00 · 2024-01-26 17:29:04 +09:00
parent 6c9f9de40a
commit db2bf1a0d1
10 changed files with 76 additions and 85 deletions
--- a/lib/node/init.ts
+++ b/lib/node/init.ts
@@ -29,3 +29,21 @@ cp.fork = (modulePath: string, args: any, options: any) => {
  }
  return originalFork(modulePath, args, options);
 };
+
+// Prevent Node from adding paths outside this app to search paths.
+const path = require('path');
+const Module = require('module') as NodeJS.ModuleInternal;
+const resourcesPathWithTrailingSlash = process.resourcesPath + path.sep;
+const originalNodeModulePaths = Module._nodeModulePaths;
+Module._nodeModulePaths = function (from: string) {
+  const paths: string[] = originalNodeModulePaths(from);
+  const fromPath = path.resolve(from) + path.sep;
+  // If "from" is outside the app then we do nothing.
+  if (fromPath.startsWith(resourcesPathWithTrailingSlash)) {
+    return paths.filter(function (candidate) {
+      return candidate.startsWith(resourcesPathWithTrailingSlash);
+    });
+  } else {
+    return paths;
+  }
+};