🔒 修复 CustomEvent 通信密钥泄露漏洞 (#1317)

* 🔒 修复 CustomEvent 通信密钥泄露漏洞

在模块顶层保存原生 CustomEvent、MouseEvent、dispatchEvent、addEventListener 引用，
防止页面脚本通过 hook 全局构造函数窃取 IPC 通信密钥，伪造 GM_* API 调用。

* 代码对齐最新做法

* 修正错误测试代码

* 处理jest问题

---------

Co-authored-by: cyfung1031 <44498510+cyfung1031@users.noreply.github.com>

Author: CodFrm

.eslintrc.cjs

@@ -21,6 +21,7 @@ module.exports = {
   globals: {
     GMTypes: "readonly",
     GMSend: "readonly",
+    cloneInto: "readonly",
   },
   plugins: ["react", "@typescript-eslint", "prettier"],
   rules: {

.gitignore

@@ -29,3 +29,9 @@ CHANGELOG.md
 tailwind.config.js
 
 .env
+
+superpowers
+.claude
+CLAUDE.md
+
+test-results

jest.config.js

@@ -13,8 +13,7 @@ module.exports = {
     "\\.m[jt]s$": "babel-jest",
   },
   transformIgnorePatterns: ["node_modules/(?!(uuid|dexi|yaml|webdav))"],
-  setupFilesAfterEnv: ['<rootDir>/jest.setup.js'],
-  setupFiles: ["./pkg/chrome-extension-mock/index.ts"],
+  setupFiles: ["./pkg/chrome-extension-mock/index.ts", "<rootDir>/jest.setup.js"],
   moduleDirectories: ["node_modules", "src"],
   watch: false,
 };

jest.setup.js

@@ -2,3 +2,4 @@
 global.fetch = () => {
   return Promise.reject(new Error("not implemented"));
 };
+

src/app/message/common.ts

@@ -0,0 +1,19 @@
+// 避免页面载入后改动全域物件导致消息传递失败
+export const MouseEventClone = MouseEvent;
+export const CustomEventClone = CustomEvent;
+
+const performanceClone = (process.env.VI_TESTING === "true" ? new EventTarget() : performance) as Performance;
+
+// 避免页面载入后改动 EventTarget.prototype 的方法导致消息传递失败
+export const pageDispatchEvent = performanceClone.dispatchEvent.bind(performanceClone);
+export const pageAddEventListener = performanceClone.addEventListener.bind(performanceClone);
+export const pageRemoveEventListener = performanceClone.removeEventListener.bind(performanceClone);
+const detailClone = typeof cloneInto === "function" ? cloneInto : null;
+export const pageDispatchCustomEvent = <T = any>(eventType: string, detail: T) => {
+  if (detailClone && detail) detail = <T>detailClone(detail, performanceClone);
+  const ev = new CustomEventClone(eventType, {
+    detail,
+    cancelable: true,
+  });
+  return pageDispatchEvent(ev);
+};

src/app/message/content.ts

@@ -1,5 +1,6 @@
 import LoggerCore from "../logger/core";
 import { type Channel } from "./channel";
+import { CustomEventClone, MouseEventClone, pageAddEventListener, pageDispatchEvent } from "./common";
 import {
   ChannelManager,
   MessageHander,
@@ -34,7 +35,7 @@ export default class MessageContent
       this.nativeSend(data);
     });
     this.relatedTarget = new Map<number, Element>();
-    window.addEventListener(
+    pageAddEventListener(
       (isContent ? "ct" : "fd") + eventId,
       (event: unknown) => {
         if (event instanceof MouseEvent) {
@@ -113,11 +114,14 @@ export default class MessageContent
       delete detail.data.relatedTarget;
       detail.data.relatedTarget = Math.ceil(Math.random() * 1000000);
       // 可以使用此种方式交互element
-      const ev = new MouseEvent((this.isContent ? "fd" : "ct") + this.eventId, {
-        clientX: detail.data.relatedTarget,
-        relatedTarget: target,
-      });
-      window.dispatchEvent(ev);
+      const ev = new MouseEventClone(
+        (this.isContent ? "fd" : "ct") + this.eventId,
+        {
+          clientX: detail.data.relatedTarget,
+          relatedTarget: target,
+        }
+      );
+      pageDispatchEvent(ev);
     }
 
     if (typeof cloneInto !== "undefined") {
@@ -132,10 +136,11 @@ export default class MessageContent
       }
     }
 
-    const ev = new CustomEvent((this.isContent ? "fd" : "ct") + this.eventId, {
-      detail,
-    });
-    window.dispatchEvent(ev);
+    const ev = new CustomEventClone(
+      (this.isContent ? "fd" : "ct") + this.eventId,
+      { detail }
+    );
+    pageDispatchEvent(ev);
   }
 
   public send(action: string, data: any) {

src/inject.ts

@@ -16,6 +16,7 @@ const logger = new LoggerCore({
   labels: { env: "inject", href: window.location.href },
 });
 
+
 message.setHandler("pageLoad", (_action, data) => {
   logger.logger().debug("inject start");
   const runtime = new InjectRuntime(message, data.scripts, flag);