Closed Raz-Hemo closed 2 years ago
mircearoata
commented
3 years ago It is used so that ficsit.app can check if SMM is installed to show the install button, which installs the mod using SMM. It will also be used at some point for ficsit.app querying the installed mods to display that
wupme
commented
3 years ago It is used so that ficsit.app can check if SMM is installed to show the install button, which installs the mod using SMM. It will also be used at some point for ficsit.app querying the installed mods to display that
And that doesn't change anything about it being a potential security risk. How is it protect from malicious connections? Just for that functionality, it should offer a way to simply disable it. I would honestly be more willing to install a browser plugin for that, instead of having an open socket.
Raz-Hemo
commented
3 years ago You can add deep link support to SMM and use them in ficsit.app, that's the correct and safer way to do it.
https://shipshape.io/blog/launch-electron-app-from-browser-custom-protocol/ for details
Vilsol
commented
3 years ago The issue is not the passing of data from the site to the app (which is already used), but to detect whether the app is open.
trunkyredstone
commented
3 years ago How do you propose some malicious payload can be sent though this method of a simple ping-response port?
mircearoata
commented
2 years ago The websocket now only listens on localhost, so the port is not open, tripping the windows firewall
https://github.com/satisfactorymodding/SatisfactoryModManager/blob/7380f8a9b3119ffdd8be3d35317dc265e5dfa9cb/src/main/index.js#L254-L259
This seems to be unused at the moment, and i think it's preferable for security reasons to delete this - am I missing something?