[Security] Exposing Node's require

[CanadaHonk]

Using node integration / exposing require in the window is a very bad idea which ~all other mods no longer do. Please consider not doing so and just using preload/no Node/etc. Thanks!

[Dorumin]

This is not a client mod platform for the masses, but rather an enthusiast attempt at patching Discord with my own hands.

If you don't trust the plugins you're installing, aren't you already at a security risk? Is this recent scrutiny part of evaluating alternative options after Discord's swc update? :)

[CanadaHonk]

If you don't trust the plugins you're installing, aren't you already at a security risk?

You can check plugins, and not just plugins can use what you're exposing. Any JS ran via another mod, XSS, or something else can use it.

Is this recent scrutiny part of evaluating alternative options after Discord's swc update? :)

No, I saw your repo and tell every author about security risks, lol.

[Dorumin]

Any JS ran via another mod, XSS, or something else can use it.

This is true, at some point you're trusting that Discord has figured out their x-frame options and content security policy and everything else to ensure that remote code execution isn't possible. However, even with no access to require, any kind of RCE/XSS also puts your account at risk, which is probably what most attackers are after. I doubt Discord mods are a good vector for ransomware, but you never know

No, I saw your repo and tell every author about security risks, lol.

Must be a lot of repos then, found it strolling through?

[CanadaHonk]

I agree with you, I just don't think you should easily dismiss it as it is still an architectural flaw. I don't see many things injected into the main window actually using require, more saying consider changing in the future as most mods are heavily moving away from Node now (with good reason, mostly).

Must be a lot of repos then, found it strolling through?

Saw someone randomly link it in the Replugged server whilst scrolling through that. I would have messaged you rather than GH but no clue what's your @ lol

[Dorumin]

Saw someone randomly link it in the Replugged server whilst scrolling through that

That's what I was looking to hear, haha. Not in the Replugged server; honestly didn't try any other client mods before I cooked this up many years ago, only got word from a friend that BetterDiscord sucked and I wanted to do better. My handle is Louvre#0001, but it doesn't stay the same long, so I have no problem posting it here.

It is still an architectural flaw [...] most plugins don't use it.

Yep, all correct and true. I suppose I could simply expose it via a custom method through the global "plugin manager API" context, so blind require('fs') exploits don't work. Or only pass it to plugin objects. I'll give it a thought. Thanks for the interest