feat: IPCメッセージのsenderを確認する (VOICEVOX#2151)

* feat: IPCメッセージの`sender`を確認する * Apply suggestions from code review --------- Co-authored-by: Hiroshiba <[email protected]>
Hiroshiba · Jul 1, 2024 · 4ea08d1 · 4ea08d1
1 parent bf9fd0f
commit 4ea08d1
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/src/backend/electron/ipc.ts b/src/backend/electron/ipc.ts
@@ -18,6 +18,7 @@ export function ipcMainHandle(
     ...args: unknown[]
   ) => {
     try {
+      validateIpcSender(event);
       return listener(event, ...args);
     } catch (e) {
       log.error(e);
@@ -38,3 +39,20 @@ export function ipcMainSend(
 ): void {
   return win.webContents.send(channel, ...args);
 }
+
+/** IPCメッセージの送信元を確認する */
+const validateIpcSender = (event: IpcMainInvokeEvent) => {
+  let isValid: boolean;
+  const senderUrl = new URL(event.senderFrame.url);
+  if (process.env.VITE_DEV_SERVER_URL != undefined) {
+    const devServerUrl = new URL(process.env.VITE_DEV_SERVER_URL);
+    isValid = senderUrl.origin === devServerUrl.origin;
+  } else {
+    isValid = senderUrl.protocol === "app:";
+  }
+  if (!isValid) {
+    throw new Error(
+      `不正なURLからのIPCメッセージを検出しました。senderUrl: ${senderUrl.toString()}`,
+    );
+  }
+};