🐛 create_context 的空物件改为 Object.create(null) (#1397)

* fix: create_context 的空物件改为 Object.create(null)

* 修正 GM 及 window 的物件生成

* 修正 GM 及 window 的物件生成

Author: cyfung1031

src/app/service/content/create_context.ts

@@ -8,6 +8,8 @@ import { isEarlyStartScript } from "./utils";
 import { ListenerManager } from "./listener_manager";
 import { createGMBase } from "./gm_api/gm_api";
 
+// 不要使用 {}, 改使用 Object.create(null) - 避免在页面生成沙盒时，受到 Object.prototype 被注入的影响
+
 // 构建沙盒上下文
 export const createContext = (
   scriptRes: TScriptInfo,
@@ -29,6 +31,8 @@ export const createContext = (
     });
   }
   let invalid = false;
+  const GM = Object.create(null);
+  GM.info = GMInfo;
   const context = createGMBase({
     prefix: envPrefix,
     message,
@@ -38,11 +42,9 @@ export const createContext = (
     EE,
     runFlag: uuidv4(),
     eventId: 10000,
-    GM: { info: GMInfo },
+    GM: GM,
     GM_info: GMInfo,
-    window: {
-      // onurlchange: null,
-    },
+    window: Object.create(null),
     grantSet: new Set(),
     loadScriptPromise,
     loadScriptResolve,
@@ -62,7 +64,7 @@ export const createContext = (
       return invalid;
     },
   });
-  const grantedAPIs: { [key: string]: any } = {};
+  const grantedAPIs: { [key: string]: any } = Object.create(null);
   const __methodInject__ = (grant: string): boolean => {
     const grantSet: Set<string> = context.grantSet;
     const s = GMContextApiGet(grant);
@@ -98,7 +100,7 @@ export const createContext = (
     for (let i = 0; i < m; i++) {
       const part = fnKeyArray[i];
       s += `${i ? "." : ""}${part}`;
-      g = g[part] || (g[part] = grantedAPIs[s] || {});
+      g = g[part] || (g[part] = grantedAPIs[s] || Object.create(null));
     }
   }
   context.unsafeWindow = window;
@@ -166,10 +168,10 @@ const initOwnDescs = Object.getOwnPropertyDescriptors(global);
 
 // overridedDescs将以物件OwnPropertyDescriptor方式进行物件属性修改
 // 覆盖原有的 OwnPropertyDescriptor定义 或 父类的PropertyDescriptor定义
-const overridedDescs: Record<string, PropertyDescriptor> = {};
+const overridedDescs: Record<string, PropertyDescriptor> = Object.create(null);
 
 // 记录原生 onxxxxx 的 PropertyDescriptor
-const eventDescs: Record<string, PropertyDescriptor> = {};
+const eventDescs: Record<string, PropertyDescriptor> = Object.create(null);
 
 // 包含物件本身及所有父类(不包含Object)的PropertyDescriptor
 // 主要是找出哪些 function值， setter/getter 需要替换 global window

src/app/service/content/exec_script.ts

@@ -53,7 +53,9 @@ export default class ExecScript {
       // 不注入任何GM api
       // ScriptCat行为：GM.info 和 GM_info 同时注入
       // 在不改变 Context 的情况下，以 named 传入多个全域变量
-      this.named = { GM: { info: GM_info }, GM_info };
+      const GM = Object.create(null);
+      GM.info = GM_info;
+      this.named = { GM, GM_info };
     } else {
       // 构建脚本GM上下文
       this.sandboxContext = createContext(scriptRes, GM_info, envPrefix, message, contentMsg, grantSet);