Warn about ELECTRON_DISABLE_SECURITY_WARNINGS

doyensec / electronegativity

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications.

Apache License 2.0

972 stars 66 forks source link

Warn about ELECTRON_DISABLE_SECURITY_WARNINGS #26

Closed JarLob closed 5 years ago

JarLob commented 6 years ago

https://electronjs.org/docs/tutorial/security#electron-security-warnings

phosphore commented 5 years ago

A theoretical check set for this would be:

SECURITY_WARNINGS_DISABLED_JS_CHECK which would look for:
- process.env['ELECTRON_DISABLE_SECURITY_WARNINGS'] = true;
- win.webContents["ELECTRON_DISABLE_SECURITY_WARNINGS"] = true;
- window.ELECTRON_DISABLE_SECURITY_WARNINGS = true; as detailed in https://github.com/electron/electron/issues/11970 too.
SECURITY_WARNINGS_DISABLED_JSON_CHECK which would look for ELECTRON_DISABLE_SECURITY_WARNINGS=true env vars in package.json scripts and config objects.

Am I missing something else?

ikkisoft commented 5 years ago

That should be sufficient. I just wonder if we even want to introduce this check or not. Electronegativity is somehow a replacement for security warnings, so people may decide to avoid warnings because - for example - they run our tool for each build.

phosphore commented 5 years ago

We could wait until #31 and then set this as "Informational". Consequently we'll also implement command line flags to filter the results by severity (e.g. --severity). From then they will just need to set it to the desired severity (e.g. --severity=Low) for their build reviews.

ikkisoft commented 5 years ago

That's a good idea. Let's proceed in this way.