I'm fine to submit a PR but want to ask first on feedback on likely impact and order.
Ultimately those changes may be more relevant after upgrading electron as it seems only 11.2.1 is used per https://github.com/pavlobu/deskreen/blob/master/yarn.lock#L5510
Per https://www.electronjs.org/releases/stable?version=11, electron v11 is EOL/unsupported with latest minor as 11.5.0
What's the plan to move to a more recent version? not found an issue or branch that may point to such work.
High risks were on
CONTEXT_ISOLATION_JS_CHECK. to which scope can this be limited? localhost, private network IP addresses, domains...
LIMIT_NAVIGATION_GLOBAL_CHECK
In medium risk, I would pick those two as top ones
SANDBOX_JS_CHECK
CSP_GLOBAL_CHECK. an important point is where to best implement this content-security-policy. serviceWorker.ts?
REMOTE_MODULE_JS_CHECK. similar to contextIsolation I believe
not sure if main.dev.ts is a dev only state and not applicable in production binary/package.
$ npm install @doyensec/electronegativity -g
$ git clone https://github.com/pavlobu/deskreen && cd deskscreen
$ electronegativity -i . -o results-deskscreen.csv
$ more results-deskscreen.csv
issue, severity, confidence, filename, location, sample, description, url
CSP_GLOBAL_CHECK,"MEDIUM","CERTAIN","N/A","0:0",N/A,"No CSP has been detected in the target application",https://github.com/doyensec/electronegativity/wiki/CSP_GLOBAL_CHECK
LIMIT_NAVIGATION_GLOBAL_CHECK,"HIGH","CERTAIN","N/A","0:0",N/A,"Missing navigation limits using .on new-window and will-navigate events",https://github.com/doyensec/electronegativity/wiki/LIMIT_NAVIGATION_GLOBAL_CHECK
PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK,"MEDIUM","CERTAIN","N/A","0:0",N/A,"Missing PermissionRequestHandler to limit specific permissions (e.g. openExternal) in response to events from particular origins.",https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK
NODE_INTEGRATION_JS_CHECK,"INFORMATIONAL","FIRM","/home/user/Downloads/deskreen/app/main.dev.ts","196:14","nodeIntegration: true,","Disable nodeIntegration for untrusted origins",https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_JS_CHECK
NODE_INTEGRATION_JS_CHECK,"INFORMATIONAL","FIRM","/home/user/Downloads/deskreen/app/features/PeerConnectionHelperRendererService/index.ts","37:14","nodeIntegration: true,","Disable nodeIntegration for untrusted origins",https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_JS_CHECK
CUSTOM_ARGUMENTS_JSON_CHECK,"MEDIUM","TENTATIVE","/home/user/Downloads/deskreen/package.json","40:0","""start-main-debug"": ""yarn start-main-dev --inspect=5858 --remote-debugging-port=9223"",","Search for dangerous runtime flags in the package.json file.",https://github.com/doyensec/electronegativi
ty/wiki/CUSTOM_ARGUMENTS_JSON_CHECK
AUXCLICK_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/main.dev.ts","183:22","this.mainWindow = new BrowserWindow({","Limit navigation flows to untrusted origins. Middle-click may cause Electron to open a link within a new window",https://github.com/doyensec/electronegativity/wiki/AUXC
LICK_JS_CHECK
CONTEXT_ISOLATION_JS_CHECK,"HIGH","FIRM","/home/user/Downloads/deskreen/app/main.dev.ts","183:22","this.mainWindow = new BrowserWindow({","Review the use of the contextIsolation option",https://github.com/doyensec/electronegativity/wiki/CONTEXT_ISOLATION_JS_CHECK
REMOTE_MODULE_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/main.dev.ts","197:14","enableRemoteModule: true,","Disable the remote module",https://github.com/doyensec/electronegativity/wiki/REMOTE_MODULE_JS_CHECK
REMOTE_MODULE_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/main.dev.ts","201:14","enableRemoteModule: true,","Disable the remote module",https://github.com/doyensec/electronegativity/wiki/REMOTE_MODULE_JS_CHECK
SANDBOX_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/main.dev.ts","183:22","this.mainWindow = new BrowserWindow({","Use sandbox for untrusted origins",https://github.com/doyensec/electronegativity/wiki/SANDBOX_JS_CHECK
PRELOAD_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/main.dev.ts","200:14","preload: path.join(__dirname, 'dist/mainWindow.renderer.prod.js'),","Review the use of preload scripts",https://github.com/doyensec/electronegativity/wiki/PRELOAD_JS_CHECK
AUXCLICK_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/features/PeerConnectionHelperRendererService/index.ts","19:27","helperRendererWindow = new BrowserWindow({","Limit navigation flows to untrusted origins. Middle-click may cause Electron to open a link within a new window",https://g
ithub.com/doyensec/electronegativity/wiki/AUXCLICK_JS_CHECK
CONTEXT_ISOLATION_JS_CHECK,"HIGH","FIRM","/home/user/Downloads/deskreen/app/features/PeerConnectionHelperRendererService/index.ts","19:27","helperRendererWindow = new BrowserWindow({","Review the use of the contextIsolation option",https://github.com/doyensec/electronegativity/wiki/CONTEXT_ISOLATION
_JS_CHECK
REMOTE_MODULE_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/features/PeerConnectionHelperRendererService/index.ts","38:14","enableRemoteModule: true,","Disable the remote module",https://github.com/doyensec/electronegativity/wiki/REMOTE_MODULE_JS_CHECK
REMOTE_MODULE_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/features/PeerConnectionHelperRendererService/index.ts","45:14","enableRemoteModule: true,","Disable the remote module",https://github.com/doyensec/electronegativity/wiki/REMOTE_MODULE_JS_CHECK
SANDBOX_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/features/PeerConnectionHelperRendererService/index.ts","19:27","helperRendererWindow = new BrowserWindow({","Use sandbox for untrusted origins",https://github.com/doyensec/electronegativity/wiki/SANDBOX_JS_CHECK
PRELOAD_JS_CHECK,"MEDIUM","FIRM","/home/user/Downloads/deskreen/app/features/PeerConnectionHelperRendererService/index.ts","41:14","preload: path.join(","Review the use of preload scripts",https://github.com/doyensec/electronegativity/wiki/PRELOAD_JS_CHECK
Using electronegativity to validate electron security settings in deskreen https://github.com/doyensec/electronegativity
other reference https://github.com/1Password/electron-secure-defaults
I'm fine to submit a PR but want to ask first on feedback on likely impact and order. Ultimately those changes may be more relevant after upgrading electron as it seems only 11.2.1 is used per https://github.com/pavlobu/deskreen/blob/master/yarn.lock#L5510 Per https://www.electronjs.org/releases/stable?version=11, electron v11 is EOL/unsupported with latest minor as 11.5.0 What's the plan to move to a more recent version? not found an issue or branch that may point to such work.
High risks were on
not sure if main.dev.ts is a dev only state and not applicable in production binary/package.
Note that depending on context (preload empty), sandbox is enabled in electron since https://github.com/electron/electron/issues/28466 https://www.electronjs.org/docs/tutorial/sandbox ContextIsolation is default since electron v12
Prerequisites
Not Applicable
Steps to Reproduce
Context
Reduce security vulnerability and attack surface