Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling links passed to shell.openExternal() and Electron.js Version #1

Open
masood opened this issue Oct 26, 2023 · 1 comment
Open

Handling links passed to shell.openExternal() and Electron.js Version #1

masood opened this issue Oct 26, 2023 · 1 comment

Comments

@masood
Copy link

masood commented Oct 26, 2023

Summary:

Thank you for designing the F-Curator Desktop Application and making it open source and available. The application adds an event listener that prevents opening new windows, the sanitization is performed before creating links. However, as a precaution, it will also be helpful to sanitize URLs before passing them to the underlying system. Additionally, the application does not use an event listener to prevent in-app navigation within the same window. Moreover, the application can benefit from an update to the underlying Electron.js version.

Platform(s) Affected:

MacOS, Windows

Steps To Reproduce:

  1. Open the F-Curator Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
  2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
  3. [In-app Navigation] Within the console, enter window.location=”https://attacker.com/”. The application window navigates to the third-party site.
  4. [Run Sensitive Executable Files] Alternatively, within the console, enter window.open(“file:https:///Applications/Emacs.app/Contents/MacOS/Emacs”). An alternative would be to check window.open(“file:https:///Applications/Safari.app/Contents/MacOS/Safari”) which opens the Safari browser. The application passes the link to the underlying system which opens the executable file if one exists at the path. While this is currently prevented by restricting the links that users can add to the application, it will be useful to add a check before passing the links to shell.openExternal().
  5. [Localhost Files] Finally, while opening links similar to http:https://localhost:8315/ will pass the links as is to the system. If another application uses that port, it can be triggered from the F-Curator Application. It will be helpful to prevent adding localhost links.
  6. [Electron.js Version] Finally, the current version of Excel Parser depends on Electron v20.3.3 which is vulnerable to numerous CVEs. [Example] The app can benefit from an update to the framework version that fixes numerous security issues. [Link]


Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
@xizon
Copy link
Owner

xizon commented Feb 15, 2024

Thank you very much. Due to my work, I haven’t had time to deal with it. It currently meets daily and no new functions have been added. I will improve it in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xizon @masood