fix: ignore all NODE_ envs from foreign parent in node process (#40881)

Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com>
Co-authored-by: Jeremy Rose <jeremya@chromium.org>

build/fuses/build.py

@@ -32,6 +32,13 @@ extern const volatile char kFuseWire[];
 
 TEMPLATE_CC = """
 #include "electron/fuses.h"
+#include "base/dcheck_is_on.h"
+
+#if DCHECK_IS_ON()
+#include "base/command_line.h"
+#include "base/strings/string_util.h"
+#include <string>
+#endif
 
 namespace electron::fuses {
 
@@ -66,9 +73,20 @@ for fuse in fuses:
   getters_h += "FUSE_EXPORT bool Is{name}Enabled();\n".replace("{name}", name)
   getters_cc += """
 bool Is{name}Enabled() {
+#if DCHECK_IS_ON()
+  // RunAsNode is checked so early that base::CommandLine isn't yet
+  // initialized, so guard here to avoid a CHECK.
+  if (base::CommandLine::InitializedForCurrentProcess()) {
+    base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
+    if (command_line->HasSwitch("{switch_name}")) {
+      std::string switch_value = command_line->GetSwitchValueASCII("{switch_name}");
+      return switch_value == "1";
+    }
+  }
+#endif
   return kFuseWire[{index}] == '1';
 }
-""".replace("{name}", name).replace("{index}", str(index))
+""".replace("{name}", name).replace("{switch_name}", f"set-fuse-{fuse.lower()}").replace("{index}", str(index))
 
 def c_hex(n):
   s = hex(n)[2:]

docs/tutorial/tutorial-3-preload.md

@@ -203,7 +203,7 @@ loading the HTML file so that the handler is guaranteed to be ready before
 you send out the `invoke` call from the renderer.
 
 ```js {1,15} title="main.js"
-const { app, BrowserWindow, ipcMain } = require('electron')
+const { app, BrowserWindow, ipcMain } = require('electron/main')
 const path = require('node:path')
 
 const createWindow = () => {

filenames.gni

@@ -660,6 +660,7 @@ filenames = {
     "shell/common/node_includes.h",
     "shell/common/node_util.cc",
     "shell/common/node_util.h",
+    "shell/common/node_util_mac.mm",
     "shell/common/options_switches.cc",
     "shell/common/options_switches.h",
     "shell/common/platform_util.cc",

patches/chromium/fix_activate_background_material_on_windows.patch

@@ -1,19 +1,23 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: clavin <clavin@electronjs.org>
-Date: Wed, 30 Aug 2023 18:15:36 -0700
+Date: Mon, 11 Dec 2023 20:43:34 -0300
 Subject: fix: activate background material on windows
 
 This patch adds a condition to the HWND message handler to allow windows
 with translucent background materials to become activated.
 
+It also ensures the lParam of WM_NCACTIVATE is set to -1 so as to not repaint
+the client area, which can lead to a title bar incorrectly being displayed in
+frameless windows.
+
 This patch likely can't be upstreamed as-is, as Chromium doesn't have
 this use case in mind currently.
 
 diff --git a/ui/views/win/hwnd_message_handler.cc b/ui/views/win/hwnd_message_handler.cc
-index 23905a6b7f739ff3c6f391f984527ef5d2ed0bd9..ee72bad1b884677b02cc2f86ea307742e5528bad 100644
+index 23905a6b7f739ff3c6f391f984527ef5d2ed0bd9..aed8894a5514fddfc8d15b8fb4ae611fa4493b6f 100644
 --- a/ui/views/win/hwnd_message_handler.cc
 +++ b/ui/views/win/hwnd_message_handler.cc
-@@ -901,7 +901,7 @@ void HWNDMessageHandler::FrameTypeChanged() {
+@@ -901,13 +901,13 @@ void HWNDMessageHandler::FrameTypeChanged() {
  
  void HWNDMessageHandler::PaintAsActiveChanged() {
    if (!delegate_->HasNonClientView() || !delegate_->CanActivate() ||
@@ -22,3 +26,34 @@ index 23905a6b7f739ff3c6f391f984527ef5d2ed0bd9..ee72bad1b884677b02cc2f86ea307742
        (delegate_->GetFrameMode() == FrameMode::CUSTOM_DRAWN)) {
      return;
    }
+ 
+   DefWindowProcWithRedrawLock(WM_NCACTIVATE, delegate_->ShouldPaintAsActive(),
+-                              0);
++                              delegate_->HasFrame() ? 0 : -1);
+ }
+ 
+ void HWNDMessageHandler::SetWindowIcons(const gfx::ImageSkia& window_icon,
+@@ -2254,17 +2254,18 @@ LRESULT HWNDMessageHandler::OnNCActivate(UINT message,
+   if (IsVisible())
+     delegate_->SchedulePaint();
+ 
+-  // Calling DefWindowProc is only necessary if there's a system frame being
+-  // drawn. Otherwise it can draw an incorrect title bar and cause visual
+-  // corruption.
+-  if (!delegate_->HasFrame() ||
++  // If the window is translucent, it may have the Mica background.
++  // In that case, it's necessary to call |DefWindowProc|, but we can
++  // pass -1 in the lParam to prevent any non-client area elements from
++  // being displayed.
++  if ((!delegate_->HasFrame() && !is_translucent_) ||
+       delegate_->GetFrameMode() == FrameMode::CUSTOM_DRAWN) {
+     SetMsgHandled(TRUE);
+     return TRUE;
+   }
+ 
+   return DefWindowProcWithRedrawLock(WM_NCACTIVATE, paint_as_active || active,
+-                                     0);
++                                     delegate_->HasFrame() ? 0 : -1);
+ }
+ 
+ LRESULT HWNDMessageHandler::OnNCCalcSize(BOOL mode, LPARAM l_param) {

shell/app/node_main.cc

@@ -31,6 +31,7 @@
 #include "shell/common/gin_helper/dictionary.h"
 #include "shell/common/node_bindings.h"
 #include "shell/common/node_includes.h"
+#include "shell/common/node_util.h"
 
 #if BUILDFLAG(IS_WIN)
 #include "chrome/child/v8_crashpad_support_win.h"
@@ -107,8 +108,12 @@ int NodeMain(int argc, char* argv[]) {
 
   auto os_env = base::Environment::Create();
   bool node_options_enabled = electron::fuses::IsNodeOptionsEnabled();
+  if (!node_options_enabled) {
+    os_env->UnSetVar("NODE_OPTIONS");
+  }
+
 #if BUILDFLAG(IS_MAC)
-  if (node_options_enabled && os_env->HasVar("NODE_OPTIONS")) {
+  if (!ProcessSignatureIsSameWithCurrentApp(getppid())) {
     // On macOS, it is forbidden to run sandboxed app with custom arguments
     // from another app, i.e. args are discarded in following call:
     //   exec("Sandboxed.app", ["--custom-args-will-be-discarded"])
@@ -117,18 +122,14 @@ int NodeMain(int argc, char* argv[]) {
     //   exec("Electron.app", {env: {ELECTRON_RUN_AS_NODE: "1",
     //                               NODE_OPTIONS: "--require 'bad.js'"}})
     // To prevent Electron apps from being used to work around macOS security
-    // restrictions, when NODE_OPTIONS is passed it will be checked whether
-    // this process is invoked by its own app.
-    if (!ProcessBelongToCurrentApp(getppid())) {
-      LOG(ERROR) << "NODE_OPTIONS is disabled because this process is invoked "
-                    "by other apps.";
-      node_options_enabled = false;
+    // restrictions, when the parent process is not part of the app bundle, all
+    // environment variables starting with NODE_ will be removed.
+    if (util::UnsetAllNodeEnvs()) {
+      LOG(ERROR) << "Node.js environment variables are disabled because this "
+                    "process is invoked by other apps.";
     }
   }
 #endif  // BUILDFLAG(IS_MAC)
-  if (!node_options_enabled) {
-    os_env->UnSetVar("NODE_OPTIONS");
-  }
 
 #if BUILDFLAG(IS_WIN)
   v8_crashpad_support::SetUp();

shell/browser/protocol_registry.cc

@@ -6,6 +6,7 @@
 
 #include "base/stl_util.h"
 #include "content/public/browser/web_contents.h"
+#include "electron/fuses.h"
 #include "shell/browser/electron_browser_context.h"
 #include "shell/browser/net/asar/asar_url_loader_factory.h"
 
@@ -24,18 +25,21 @@ ProtocolRegistry::~ProtocolRegistry() = default;
 void ProtocolRegistry::RegisterURLLoaderFactories(
     content::ContentBrowserClient::NonNetworkURLLoaderFactoryMap* factories,
     bool allow_file_access) {
-  auto file_factory = factories->find(url::kFileScheme);
-  if (file_factory != factories->end()) {
-    // If Chromium already allows file access then replace the url factory to
-    // also loading asar files.
-    file_factory->second = AsarURLLoaderFactory::Create();
-  } else if (allow_file_access) {
-    // Otherwise only allow file access when it is explicitly allowed.
-    //
-    // Note that Chromium may call |emplace| to create the default file factory
-    // after this call, it won't override our asar factory, but if asar support
-    // breaks in future, please check if Chromium has changed the call.
-    factories->emplace(url::kFileScheme, AsarURLLoaderFactory::Create());
+  if (electron::fuses::IsGrantFileProtocolExtraPrivilegesEnabled()) {
+    auto file_factory = factories->find(url::kFileScheme);
+    if (file_factory != factories->end()) {
+      // If Chromium already allows file access then replace the url factory to
+      // also loading asar files.
+      file_factory->second = AsarURLLoaderFactory::Create();
+    } else if (allow_file_access) {
+      // Otherwise only allow file access when it is explicitly allowed.
+      //
+      // Note that Chromium may call |emplace| to create the default file
+      // factory after this call, it won't override our asar factory, but if
+      // asar support breaks in future, please check if Chromium has changed the
+      // call.
+      factories->emplace(url::kFileScheme, AsarURLLoaderFactory::Create());
+    }
   }
 
   for (const auto& it : handlers_) {

shell/browser/ui/win/electron_desktop_window_tree_host_win.cc

@@ -135,12 +135,12 @@ void ElectronDesktopWindowTreeHostWin::OnNativeThemeUpdated(
 
 bool ElectronDesktopWindowTreeHostWin::ShouldWindowContentsBeTransparent()
     const {
-  // Window should be marked as opaque if no transparency setting has been set,
-  // otherwise videos rendered in the window will trigger a DirectComposition
-  // redraw for every frame.
+  // Window should be marked as opaque if no transparency setting has been
+  // set, otherwise animations or videos rendered in the window will trigger a
+  // DirectComposition redraw for every frame.
   // https://github.com/electron/electron/pull/39895
   return native_window_view_->GetOpacity() < 1.0 ||
-         native_window_view_->transparent();
+         native_window_view_->IsTranslucent();
 }
 
 }  // namespace electron

shell/common/gin_converters/content_converter.cc

@@ -69,80 +69,39 @@ namespace {
 
 namespace gin {
 
+static constexpr auto MenuSourceTypes =
+    base::MakeFixedFlatMap<base::StringPiece, ui::MenuSourceType>({
+        {"adjustSelection", ui::MENU_SOURCE_ADJUST_SELECTION},
+        {"adjustSelectionReset", ui::MENU_SOURCE_ADJUST_SELECTION_RESET},
+        {"keyboard", ui::MENU_SOURCE_KEYBOARD},
+        {"longPress", ui::MENU_SOURCE_LONG_PRESS},
+        {"longTap", ui::MENU_SOURCE_LONG_TAP},
+        {"mouse", ui::MENU_SOURCE_MOUSE},
+        {"none", ui::MENU_SOURCE_NONE},
+        {"stylus", ui::MENU_SOURCE_STYLUS},
+        {"touch", ui::MENU_SOURCE_TOUCH},
+        {"touchHandle", ui::MENU_SOURCE_TOUCH_HANDLE},
+        {"touchMenu", ui::MENU_SOURCE_TOUCH_EDIT_MENU},
+    });
+
+// let us know when upstream changes & we need to update MenuSourceTypes
+static_assert(std::size(MenuSourceTypes) == ui::MENU_SOURCE_TYPE_LAST + 1U);
+
 // static
 v8::Local<v8::Value> Converter<ui::MenuSourceType>::ToV8(
     v8::Isolate* isolate,
     const ui::MenuSourceType& in) {
-  switch (in) {
-    case ui::MENU_SOURCE_MOUSE:
-      return StringToV8(isolate, "mouse");
-    case ui::MENU_SOURCE_KEYBOARD:
-      return StringToV8(isolate, "keyboard");
-    case ui::MENU_SOURCE_TOUCH:
-      return StringToV8(isolate, "touch");
-    case ui::MENU_SOURCE_TOUCH_EDIT_MENU:
-      return StringToV8(isolate, "touchMenu");
-    case ui::MENU_SOURCE_LONG_PRESS:
-      return StringToV8(isolate, "longPress");
-    case ui::MENU_SOURCE_LONG_TAP:
-      return StringToV8(isolate, "longTap");
-    case ui::MENU_SOURCE_TOUCH_HANDLE:
-      return StringToV8(isolate, "touchHandle");
-    case ui::MENU_SOURCE_STYLUS:
-      return StringToV8(isolate, "stylus");
-    case ui::MENU_SOURCE_ADJUST_SELECTION:
-      return StringToV8(isolate, "adjustSelection");
-    case ui::MENU_SOURCE_ADJUST_SELECTION_RESET:
-      return StringToV8(isolate, "adjustSelectionReset");
-    case ui::MENU_SOURCE_NONE:
-      return StringToV8(isolate, "none");
-  }
+  for (auto const& [key, val] : MenuSourceTypes)
+    if (in == val)
+      return StringToV8(isolate, key);
+  return {};
 }
 
 // static
 bool Converter<ui::MenuSourceType>::FromV8(v8::Isolate* isolate,
                                            v8::Local<v8::Value> val,
                                            ui::MenuSourceType* out) {
-  std::string type;
-  if (!ConvertFromV8(isolate, val, &type))
-    return false;
-
-  if (type == "mouse") {
-    *out = ui::MENU_SOURCE_MOUSE;
-    return true;
-  } else if (type == "keyboard") {
-    *out = ui::MENU_SOURCE_KEYBOARD;
-    return true;
-  } else if (type == "touch") {
-    *out = ui::MENU_SOURCE_TOUCH;
-    return true;
-  } else if (type == "touchMenu") {
-    *out = ui::MENU_SOURCE_TOUCH_EDIT_MENU;
-    return true;
-  } else if (type == "longPress") {
-    *out = ui::MENU_SOURCE_LONG_PRESS;
-    return true;
-  } else if (type == "longTap") {
-    *out = ui::MENU_SOURCE_LONG_TAP;
-    return true;
-  } else if (type == "touchHandle") {
-    *out = ui::MENU_SOURCE_TOUCH_HANDLE;
-    return true;
-  } else if (type == "stylus") {
-    *out = ui::MENU_SOURCE_STYLUS;
-    return true;
-  } else if (type == "adjustSelection") {
-    *out = ui::MENU_SOURCE_ADJUST_SELECTION;
-    return true;
-  } else if (type == "adjustSelectionReset") {
-    *out = ui::MENU_SOURCE_ADJUST_SELECTION_RESET;
-    return true;
-  } else if (type == "none") {
-    *out = ui::MENU_SOURCE_NONE;
-    return true;
-  }
-
-  return false;
+  return FromV8WithLookup(isolate, val, MenuSourceTypes, out);
 }
 
 // static

shell/common/mac/codesign_util.cc

@@ -5,15 +5,60 @@
 
 #include "shell/common/mac/codesign_util.h"
 
+#include "base/apple/foundation_util.h"
 #include "base/apple/osstatus_logging.h"
 #include "base/apple/scoped_cftyperef.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 
 namespace electron {
 
-bool ProcessBelongToCurrentApp(pid_t pid) {
+absl::optional<bool> IsUnsignedOrAdHocSigned(SecCodeRef code) {
+  base::apple::ScopedCFTypeRef<SecStaticCodeRef> static_code;
+  OSStatus status = SecCodeCopyStaticCode(code, kSecCSDefaultFlags,
+                                          static_code.InitializeInto());
+  if (status == errSecCSUnsigned) {
+    return true;
+  }
+  if (status != errSecSuccess) {
+    OSSTATUS_LOG(ERROR, status) << "SecCodeCopyStaticCode";
+    return absl::optional<bool>();
+  }
+  // Copy the signing info from the SecStaticCodeRef.
+  base::apple::ScopedCFTypeRef<CFDictionaryRef> signing_info;
+  status =
+      SecCodeCopySigningInformation(static_code.get(), kSecCSSigningInformation,
+                                    signing_info.InitializeInto());
+  if (status != errSecSuccess) {
+    OSSTATUS_LOG(ERROR, status) << "SecCodeCopySigningInformation";
+    return absl::optional<bool>();
+  }
+  // Look up the code signing flags. If the flags are absent treat this as
+  // unsigned. This decision is consistent with the StaticCode source:
+  // https://github.com/apple-oss-distributions/Security/blob/Security-60157.40.30.0.1/OSX/libsecurity_codesigning/lib/StaticCode.cpp#L2270
+  CFNumberRef signing_info_flags =
+      base::apple::GetValueFromDictionary<CFNumberRef>(signing_info.get(),
+                                                       kSecCodeInfoFlags);
+  if (!signing_info_flags) {
+    return true;
+  }
+  // Using a long long to extract the value from the CFNumberRef to be
+  // consistent with how it was packed by Security.framework.
+  // https://github.com/apple-oss-distributions/Security/blob/Security-60157.40.30.0.1/OSX/libsecurity_utilities/lib/cfutilities.h#L262
+  long long flags;
+  if (!CFNumberGetValue(signing_info_flags, kCFNumberLongLongType, &flags)) {
+    LOG(ERROR) << "CFNumberGetValue";
+    return absl::optional<bool>();
+  }
+  if (static_cast<uint32_t>(flags) & kSecCodeSignatureAdhoc) {
+    return true;
+  }
+  return false;
+}
+
+bool ProcessSignatureIsSameWithCurrentApp(pid_t pid) {
   // Get and check the code signature of current app.
   base::apple::ScopedCFTypeRef<SecCodeRef> self_code;
   OSStatus status =
@@ -22,6 +67,15 @@ bool ProcessBelongToCurrentApp(pid_t pid) {
     OSSTATUS_LOG(ERROR, status) << "SecCodeCopyGuestWithAttributes";
     return false;
   }
+  absl::optional<bool> not_signed = IsUnsignedOrAdHocSigned(self_code.get());
+  if (!not_signed.has_value()) {
+    // Error happened.
+    return false;
+  }
+  if (not_signed.value()) {
+    // Current app is not signed.
+    return true;
+  }
   // Get the code signature of process.
   base::apple::ScopedCFTypeRef<CFNumberRef> process_cf(
       CFNumberCreate(nullptr, kCFNumberIntType, &pid));
@@ -46,9 +100,14 @@ bool ProcessBelongToCurrentApp(pid_t pid) {
     OSSTATUS_LOG(ERROR, status) << "SecCodeCopyDesignatedRequirement";
     return false;
   }
+  DCHECK(self_requirement.get());
   // Check whether the process meets the signature requirement of current app.
   status = SecCodeCheckValidity(process_code.get(), kSecCSDefaultFlags,
                                 self_requirement.get());
+  if (status != errSecSuccess && status != errSecCSReqFailed) {
+    OSSTATUS_LOG(ERROR, status) << "SecCodeCheckValidity";
+    return false;
+  }
   return status == errSecSuccess;
 }
 

shell/common/mac/codesign_util.h

@@ -10,9 +10,14 @@
 
 namespace electron {
 
-// Given a pid, check if the process belongs to current app by comparing its
-// code signature with current app.
-bool ProcessBelongToCurrentApp(pid_t pid);
+// Given a pid, return true if the process has the same code signature with
+// with current app.
+// This API returns true if current app is not signed or ad-hoc signed, because
+// checking code signature is meaningless in this case, and failing the
+// signature check would break some features with unsigned binary (for example,
+// process.send stops working in processes created by child_process.fork, due
+// to the NODE_CHANNEL_ID env getting removed).
+bool ProcessSignatureIsSameWithCurrentApp(pid_t pid);
 
 }  // namespace electron
 

shell/common/node_util.h

@@ -7,6 +7,7 @@
 
 #include <vector>
 
+#include "build/build_config.h"
 #include "v8/include/v8.h"
 
 namespace node {
@@ -26,6 +27,12 @@ v8::MaybeLocal<v8::Value> CompileAndCall(
     std::vector<v8::Local<v8::String>>* parameters,
     std::vector<v8::Local<v8::Value>>* arguments);
 
+#if BUILDFLAG(IS_MAC)
+// Unset all environment variables that start with NODE_. Return false if there
+// is no node env at all.
+bool UnsetAllNodeEnvs();
+#endif
+
 }  // namespace electron::util
 
 #endif  // ELECTRON_SHELL_COMMON_NODE_UTIL_H_

shell/common/node_util_mac.mm

@@ -0,0 +1,23 @@
+// Copyright (c) 2023 Microsoft, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "shell/common/node_util.h"
+
+#include <Foundation/Foundation.h>
+
+namespace electron::util {
+
+bool UnsetAllNodeEnvs() {
+  bool has_unset = false;
+  for (NSString* env in NSProcessInfo.processInfo.environment) {
+    if (![env hasPrefix:@"NODE_"])
+      continue;
+    const char* name = [[env componentsSeparatedByString:@"="][0] UTF8String];
+    unsetenv(name);
+    has_unset = true;
+  }
+  return has_unset;
+}
+
+}  // namespace electron::util

spec/fixtures/api/fork-with-node-options.js

@@ -2,11 +2,14 @@ const { execFileSync } = require('node:child_process');
 const path = require('node:path');
 
 const fixtures = path.resolve(__dirname, '..');
+const failJs = path.join(fixtures, 'module', 'fail.js');
 
 const env = {
   ELECTRON_RUN_AS_NODE: 'true',
   // Process will exit with 1 if NODE_OPTIONS is accepted.
-  NODE_OPTIONS: `--require "${path.join(fixtures, 'module', 'fail.js')}"`
+  NODE_OPTIONS: `--require "${failJs}"`,
+  // Try bypassing the check with NODE_REPL_EXTERNAL_MODULE.
+  NODE_REPL_EXTERNAL_MODULE: failJs
 };
 // Provide a lower cased NODE_OPTIONS in case some code ignores case sensitivity
 // when reading NODE_OPTIONS.

spec/fixtures/apps/remote-control/main.js

@@ -1,4 +1,7 @@
-const { app } = require('electron');
+// eslint-disable-next-line camelcase
+const electron_1 = require('electron');
+// eslint-disable-next-line camelcase
+const { app } = electron_1;
 const http = require('node:http');
 const v8 = require('node:v8');
 // eslint-disable-next-line camelcase,@typescript-eslint/no-unused-vars

spec/fuses-spec.ts

@@ -0,0 +1,28 @@
+import { expect } from 'chai';
+import { startRemoteControlApp } from './lib/spec-helpers';
+import { once } from 'node:events';
+import { spawn } from 'node:child_process';
+import { BrowserWindow } from 'electron';
+import path = require('node:path');
+
+describe('fuses', () => {
+  it('can be enabled by command-line argument during testing', async () => {
+    const child0 = spawn(process.execPath, ['-v'], { env: { NODE_OPTIONS: '-e 0' } });
+    const [code0] = await once(child0, 'exit');
+    // Should exit with 9 because -e is not allowed in NODE_OPTIONS
+    expect(code0).to.equal(9);
+    const child1 = spawn(process.execPath, ['--set-fuse-node_options=0', '-v'], { env: { NODE_OPTIONS: '-e 0' } });
+    const [code1] = await once(child1, 'exit');
+    // Should print the version and exit with 0
+    expect(code1).to.equal(0);
+  });
+
+  it('disables fetching file:// URLs when grant_file_protocol_extra_privileges is 0', async () => {
+    const rc = await startRemoteControlApp(['--set-fuse-grant_file_protocol_extra_privileges=0']);
+    await expect(rc.remotely(async (fixture: string) => {
+      const bw = new BrowserWindow({ show: false });
+      await bw.loadFile(fixture);
+      return await bw.webContents.executeJavaScript("ajax('file:///etc/passwd')");
+    }, path.join(__dirname, 'fixtures', 'pages', 'fetch.html'))).to.eventually.be.rejectedWith('Failed to fetch');
+  });
+});

spec/node-spec.ts

@@ -673,7 +673,7 @@ describe('node feature', () => {
     });
 
     const script = path.join(fixtures, 'api', 'fork-with-node-options.js');
-    const nodeOptionsWarning = 'NODE_OPTIONS is disabled because this process is invoked by other apps';
+    const nodeOptionsWarning = 'Node.js environment variables are disabled because this process is invoked by other apps';
 
     it('is disabled when invoked by other apps in ELECTRON_RUN_AS_NODE mode', async () => {
       await withTempDirectory(async (dir) => {