Thank you for designing the ExpressLRS-Configurator Desktop Application and making it open source and available.
Expected Behavior
The app could benefit from:
Preventing file:// URLs from being passed to shell.openExternal().
Adding an event listener to the will-navigate event.
Upgrading the Electron.js Version.
Current Behavior
The application adds an event listener that prevents opening new windows. However, it does not sanitize URLs before passing them to the underlying system. Additionally, it does not use an event listener to prevent in-app navigation within the same window. Moreover, the application can benefit from an update to the underlying Electron.js version.
Steps to Reproduce
Open the ExpressLRS-Configurator Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
[In-app Navigation] Within the console, enter window.location=”https://attacker.com/”. The application window navigates to the third-party site.
[Run Sensitive Executable Files] Alternatively, within the console, enter window.open(“file:///Applications/Emacs.app/Contents/MacOS/Emacs”). An alternative would be to check window.open(“file:///Applications/Safari.app/Contents/MacOS/Safari”) which opens the Safari browser. The application passes the link to the underlying system which opens the executable file if one exists at the path.
[Electron.js Version] Finally, the current version of Excel Parser depends on Electron v20.3.3 which is vulnerable to numerous CVEs. [Example] The app can benefit from an update to the framework version that fixes numerous security issues. [Link]
Environments Affected
Operating System and version: MacOS, Windows, Linux
ExpressLRS-Configurator Version: 1.6.0
--
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
Thank you for designing the ExpressLRS-Configurator Desktop Application and making it open source and available.
Expected Behavior
The app could benefit from:
file://URLs from being passed toshell.openExternal().will-navigateevent.Current Behavior
The application adds an event listener that prevents opening new windows. However, it does not sanitize URLs before passing them to the underlying system. Additionally, it does not use an event listener to prevent in-app navigation within the same window. Moreover, the application can benefit from an update to the underlying Electron.js version.
Steps to Reproduce
--remote-debugging-port=8315while running the application.localhost:8315. The application can be interacted with via the DevTools protocol.window.location=”https://attacker.com/”. The application window navigates to the third-party site.window.open(“file:///Applications/Emacs.app/Contents/MacOS/Emacs”). An alternative would be to checkwindow.open(“file:///Applications/Safari.app/Contents/MacOS/Safari”)which opens the Safari browser. The application passes the link to the underlying system which opens the executable file if one exists at the path.Environments Affected
-- Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago