From d8924e113e17250521fad5dc078292a86cd4d3ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guillermo=20Vay=C3=A1?= <guillermo.vaya@mattermost.com>
Date: Mon, 26 Jul 2021 15:49:59 +0200
Subject: [PATCH]  [MM-37198] enable global sandboxing to increase security
 (cherry-pick #1667) (#1671)

* enable global sandbox

* remove typo

Co-authored-by: = <=>
---
 src/common/config/index.js           | 13 ++++++++++++-
 src/main/main.js                     |  3 +++
 src/main/preload/mainWindow.js       |  5 -----
 src/main/views/webContentEvents.js   |  8 ++++++++
 src/renderer/components/MainPage.jsx |  3 ++-
 src/renderer/index.jsx               |  1 +
 6 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/common/config/index.js b/src/common/config/index.js
index 10937490..7274783e 100644
--- a/src/common/config/index.js
+++ b/src/common/config/index.js
@@ -3,6 +3,7 @@
 // See LICENSE.txt for license information.
 import fs from 'fs';
 
+import os from 'os';
 import path from 'path';
 
 import {EventEmitter} from 'events';
@@ -26,6 +27,11 @@ export default class Config extends EventEmitter {
         super();
         this.configFilePath = configFilePath;
         this.registryConfigData = {};
+        try {
+            this.useNativeWindow = os.platform() === 'win32' && (parseInt(os.release().split('.')[0], 10) < 10);
+        } catch {
+            this.useNativeWindow = false;
+        }
     }
 
     // separating constructor from init so main can setup event listeners
@@ -296,7 +302,12 @@ export default class Config extends EventEmitter {
      */
     regenerateCombinedConfigData = () => {
         // combine all config data in the correct order
-        this.combinedData = Object.assign({}, this.defaultConfigData, this.localConfigData, this.buildConfigData, this.registryConfigData);
+        this.combinedData = Object.assign({},
+            this.defaultConfigData,
+            this.localConfigData,
+            this.buildConfigData,
+            this.registryConfigData,
+            {useNativeWindow: this.useNativeWindow});
 
         // remove unecessary data pulled from default and build config
         delete this.combinedData.defaultTeam;
diff --git a/src/main/main.js b/src/main/main.js
index bdb9277c..23fdec81 100644
--- a/src/main/main.js
+++ b/src/main/main.js
@@ -177,6 +177,9 @@ function initializeAppEventListeners() {
 }
 
 function initializeBeforeAppReady() {
+    if (process.env.NODE_ENV !== 'test') {
+        app.enableSandbox();
+    }
     certificateStore = CertificateStore.load(path.resolve(app.getPath('userData'), 'certificate.json'));
     trustedOriginsStore = new TrustedOriginsStore(path.resolve(app.getPath('userData'), 'trustedOrigins.json'));
     trustedOriginsStore.load();
diff --git a/src/main/preload/mainWindow.js b/src/main/preload/mainWindow.js
index 1f55003d..38b8dd01 100644
--- a/src/main/preload/mainWindow.js
+++ b/src/main/preload/mainWindow.js
@@ -4,7 +4,6 @@
 
 'use strict';
 
-import os from 'os';
 import {ipcRenderer, contextBridge} from 'electron';
 
 contextBridge.exposeInMainWorld('ipcRenderer', {
@@ -13,10 +12,6 @@ contextBridge.exposeInMainWorld('ipcRenderer', {
     invoke: ipcRenderer.invoke,
 });
 
-contextBridge.exposeInMainWorld('os', {
-    isWindows10: os.platform() === 'win32' && os.release().startsWith('10'),
-});
-
 contextBridge.exposeInMainWorld('process', {
     platform: process.platform,
     env: {
diff --git a/src/main/views/webContentEvents.js b/src/main/views/webContentEvents.js
index fa17f794..a17896c4 100644
--- a/src/main/views/webContentEvents.js
+++ b/src/main/views/webContentEvents.js
@@ -82,6 +82,12 @@ const generateDidStartNavigation = (getServersFunction) => {
     };
 };
 
+const denyNewWindow = (event, url) => {
+    event.preventDefault();
+    log.warn(`Prevented popup window to open a new window to ${url}.`);
+    return null;
+};
+
 const generateNewWindowListener = (getServersFunction, spellcheck) => {
     return (event, url) => {
         const parsedURL = urlUtils.parseURL(url);
@@ -160,12 +166,14 @@ const generateNewWindowListener = (getServersFunction, spellcheck) => {
                     show: false,
                     center: true,
                     webPreferences: {
+                        nativeWindowOpen: true,
                         nodeIntegration: process.env.NODE_ENV === 'test',
                         contextIsolation: process.env.NODE_ENV !== 'test',
                         spellcheck: (typeof spellcheck === 'undefined' ? true : spellcheck),
                         enableRemoteModule: process.env.NODE_ENV === 'test',
                     },
                 });
+                popupWindow.webContents.on('new-window', denyNewWindow);
                 popupWindow.once('ready-to-show', () => {
                     popupWindow.show();
                 });
diff --git a/src/renderer/components/MainPage.jsx b/src/renderer/components/MainPage.jsx
index 08b9817e..7502cf7f 100644
--- a/src/renderer/components/MainPage.jsx
+++ b/src/renderer/components/MainPage.jsx
@@ -325,7 +325,7 @@ export default class MainPage extends React.PureComponent {
         }
 
         let titleBarButtons;
-        if (window.os.isWindows10) {
+        if (window.process.platform === 'win32' && !this.props.useNativeWindow) {
             titleBarButtons = (
                 <span className='title-bar-btns'>
                     <div
@@ -449,4 +449,5 @@ MainPage.propTypes = {
     openMenu: PropTypes.func.isRequired,
     darkMode: PropTypes.bool.isRequired,
     appName: PropTypes.string.isRequired,
+    useNativeWindow: PropTypes.bool.isRequired,
 };
diff --git a/src/renderer/index.jsx b/src/renderer/index.jsx
index ff85511a..a856c3a4 100644
--- a/src/renderer/index.jsx
+++ b/src/renderer/index.jsx
@@ -109,6 +109,7 @@ class Root extends React.PureComponent {
                 openMenu={this.openMenu}
                 darkMode={config.darkMode}
                 appName={config.appName}
+                useNativeWindow={config.useNativeWindow}
             />
         );
     }