search

btargac / excel-parser-processor

Automate downloads from Excel files in seconds. Simply does the tedious, repetitive operations for rows of Excel files and reports the results. It downloads files from URL(s) in column A, if a new filename is provided at column B it will rename before saving. It will even create sub folders if column C is filled with a valid folder name.
MIT License
223 stars 31 forks source link

In-app Navigation and Electron.js Version #451

Open masood opened 11 months ago

masood commented 11 months ago

Summary:

While the Excel Parser Desktop Application uses secure web preferences, it does not use event listeners that prevent in-app navigation. Moreover, the application can benefit from an update to the underlying Electron.js version.

Platform(s) Affected:

MacOS, Windows, Linux

Steps To Reproduce:

  1. Open the Excel Parser Desktop Application.
  2. From the “View” menu, choose “Toggle Developer Tools”.
  3. [In-app Navigation] Within the console, enter window.location=”https://attacker.com/”. The application window navigates to the third-party site.
  4. [Alt. in-app navigation] Alternatively, within the console, enter window.open(“https://attacker.com/”). The application opens a new window with the third-party domain.
  5. [Web Preferences] While the app disables nodeIntegration and enables contextIsolation, it does not enable sandbox. These features can be taken care of by the defaults of the latest Electron.js version.
  6. [Electron.js Version] Finally, the current version of Excel Parser depends on Electron v17 which is vulnerable to numerous CVEs. [Example] The app can benefit from an update to the framework version that fixes numerous security issues. [Link]

-- Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago

btargac commented 11 months ago

Hey @masood thanks for sharing the issue, but the finding is not very realistic due to content-security-policy rules applied. Here is why; content security policy forces the browser for electron it's the chromium engine not to download any assets from the unknown domains, it's only a set of restricted domains where the app can download images, styles and js files.

But at the same time upgrading the electron version is a valid concern. Will be dealing with that at the very first convenience

btargac commented 11 months ago

And console is disabled for the end users, if it's opened by the user then probably someone is sitting in front of that computer so no one will be able to type window.open(any link)