search

openethereum / fether

Decentralized and light Ethereum Wallet
BSD 3-Clause "New" or "Revised" License
122 stars 32 forks source link

Implement filters on the permissions allowed by the Electron remote module #548

Closed Tbaut closed 4 years ago

Tbaut commented 4 years ago

The Fether application uses the remote module, but does not implement filters on the permissions allowed by the remote module. The Electron security guidelines recommend that the application implement a filter in the form of a callback handler in order to prevent misuse of this feature.

An example of a mitigation to help prevent the issues related to remote modules, where event.preventDefault avoids the propagation of permissions when requested by malicious code running in the renderer process.

app.on('remote-require', (event, webContents, moduleName) => {
    if (proxiedModules.has(moduleName)) {
        event.returnValue = proxiedModules.get(moduleName)
    }
    if (!allowedModules.has(moduleName)) {
        event.preventDefault()
    }
})
app.on('remote-get-builtin', (event, webContents, moduleName) => {
    if (!allowedElectronModules.has(moduleName)) {
        event.preventDefault()
    }
})
app.on('remote-get-global', (event, webContents, globalName) => {
    if (!allowedGlobals.has(globalName)) {
        event.preventDefault()
    }
})
app.on('remote-get-current-window', (event, webContents) => {
    event.preventDefault()
})
app.on('remote-get-current-web-contents', (event, webContents) => {
    event.preventDefault()
})
app.on('remote-get-guest-web-contents', (event, webContents, guestWebContents) => {
    event.preventDefault()
})