security: remove getBuiltin() and depending functions

brave / muon

[DEPRECATED] Build browsers and browser like applications with HTML, CSS, and JavaScript

https://discord.gg/TcT5tX2

MIT License

971 stars 114 forks source link

security: remove getBuiltin() and depending functions #649

Closed kewde closed 6 years ago

kewde commented 6 years ago

In the spirit of #644

getBuiltin() allows you to get any arbitrary electron module, such as app.

Page 9 - app = ipcRenderer.sendSync('ELECTRON_BROWSER_GET_BUILTIN', 'app') https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf

kewde commented 6 years ago

I haven't tried it out, but try getting the 'shell' module of electron.

Just tested, good way to execute code from within the sandbox because it goes through IPC. Meh, I never really like chrome.remote, I always delete the reference in my app.

diracdeltas commented 6 years ago

thanks @kewde . i think this is obsoleted by https://github.com/brave/muon/commit/487188c3e0777feefe2c8a23dfc559f887873083 though? @bridiver

kewde commented 6 years ago

@diracdeltas that does the job as well.