Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In-app Navigation and Electron.js Version #451

Open
masood opened this issue Oct 26, 2023 · 2 comments
Open

In-app Navigation and Electron.js Version #451

masood opened this issue Oct 26, 2023 · 2 comments
Assignees
@btargac

Comments

@masood
Copy link

masood commented Oct 26, 2023

Summary:

While the Excel Parser Desktop Application uses secure web preferences, it does not use event listeners that prevent in-app navigation. Moreover, the application can benefit from an update to the underlying Electron.js version.

Platform(s) Affected:

MacOS, Windows, Linux

Steps To Reproduce:

  1. Open the Excel Parser Desktop Application.
  2. From the “View” menu, choose “Toggle Developer Tools”.
  3. [In-app Navigation] Within the console, enter window.location=”https://attacker.com/”. The application window navigates to the third-party site.
  4. [Alt. in-app navigation] Alternatively, within the console, enter window.open(“https://attacker.com/”). The application opens a new window with the third-party domain.
  5. [Web Preferences] While the app disables nodeIntegration and enables contextIsolation, it does not enable sandbox. These features can be taken care of by the defaults of the latest Electron.js version.
  6. [Electron.js Version] Finally, the current version of Excel Parser depends on Electron v17 which is vulnerable to numerous CVEs. [Example] The app can benefit from an update to the framework version that fixes numerous security issues. [Link]

--
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
@btargac
Copy link
Owner

btargac commented Nov 1, 2023

Hey @masood thanks for sharing the issue, but the finding is not very realistic due to content-security-policy rules applied. Here is why; content security policy forces the browser for electron it's the chromium engine not to download any assets from the unknown domains, it's only a set of restricted domains where the app can download images, styles and js files.

But at the same time upgrading the electron version is a valid concern. Will be dealing with that at the very first convenience

@btargac
Copy link
Owner

btargac commented Nov 1, 2023
edited

And console is disabled for the end users, if it's opened by the user then probably someone is sitting in front of that computer so no one will be able to type window.open(any link)

@btargac btargac self-assigned this Nov 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@btargac btargac

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@btargac @masood