Electron.js Version and Secure Practices

[masood]

Summary: Thank you for designing the Electron.js-based Geppetto Desktop Application making it available. The application does a great job of helping design and manage 2D images and animations. We list pointers of concern below that can help make the application more secure.

1. [In-app Navigation] Since the application does not use URL text, it will be helpful, as a precaution, to restrict all in-app navigation by adding a listener on will-navigate and a handler on setWindowOpenHandler. [Link]
2. [IPC Messages]: Since the application uses custom IPC, it will be helpful to verify the sender of IPC messages before handling and responding to them in IPC Main. [Link]
3. [Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js and Chromium which is vulnerable to numerous known V8 and Blink attacks. [Link]

Thank you!

Platform(s) Affected: Windows, Linux, MacOS

– Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago

[matthijsgroen]

Thanks! I'm still in the migration to a PWA, so that would solve the electron issues entirely.