From 4ea08d1548771b4d0573fcf4a01e5fd14678287a Mon Sep 17 00:00:00 2001
From: sabonerune <102559104+sabonerune@users.noreply.github.com>
Date: Tue, 2 Jul 2024 04:24:56 +0900
Subject: [PATCH] =?UTF-8?q?feat:=20IPC=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC?=
 =?UTF-8?q?=E3=82=B8=E3=81=AE`sender`=E3=82=92=E7=A2=BA=E8=AA=8D=E3=81=99?=
 =?UTF-8?q?=E3=82=8B=20(#2151)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat: IPCメッセージの`sender`を確認する

* Apply suggestions from code review

---------

Co-authored-by: Hiroshiba <hihokaruta@gmail.com>
---
 src/backend/electron/ipc.ts | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/backend/electron/ipc.ts b/src/backend/electron/ipc.ts
index 08b9715abb..5273e60b4b 100644
--- a/src/backend/electron/ipc.ts
+++ b/src/backend/electron/ipc.ts
@@ -18,6 +18,7 @@ export function ipcMainHandle(
     ...args: unknown[]
   ) => {
     try {
+      validateIpcSender(event);
       return listener(event, ...args);
     } catch (e) {
       log.error(e);
@@ -38,3 +39,20 @@ export function ipcMainSend(
 ): void {
   return win.webContents.send(channel, ...args);
 }
+
+/** IPCメッセージの送信元を確認する */
+const validateIpcSender = (event: IpcMainInvokeEvent) => {
+  let isValid: boolean;
+  const senderUrl = new URL(event.senderFrame.url);
+  if (process.env.VITE_DEV_SERVER_URL != undefined) {
+    const devServerUrl = new URL(process.env.VITE_DEV_SERVER_URL);
+    isValid = senderUrl.origin === devServerUrl.origin;
+  } else {
+    isValid = senderUrl.protocol === "app:";
+  }
+  if (!isValid) {
+    throw new Error(
+      `不正なURLからのIPCメッセージを検出しました。senderUrl: ${senderUrl.toString()}`,
+    );
+  }
+};