Electron security issues

shyiko / electron-har

A command-line tool for generating HTTP Archive (HAR) (based on Electron)

https://www.npmjs.com/package/electron-har

MIT License

47 stars 11 forks source link

Electron security issues #11

Closed aral closed 5 years ago

aral commented 7 years ago

Given:

“[B]e aware that displaying arbitrary content from untrusted sources poses a severe security risk that Electron is not intended to handle … if your application executes code from an online source, it is your responsibility to ensure that the code is not malicious.” (https://github.com/electron/electron/blob/master/docs/tutorial/security.md)
“Under no circumstances should you load and execute remote code with Node integration enabled.” (https://electron.atom.io/docs/tutorial/security/)

How much of a security risk is running electron-har and what steps could be taken to minimise risk of arbitrary code execution?

At the very least, we should link to the warning(s) on the Electron site, above.

shyiko commented 7 years ago

Hi @aral.

Good point. Right now, nodeIntegration is not disabled and so everything written in those documents apply.

In our case electron-har is used to gather data from the sources we control in pretty restrictive environments and so it hasn't been a problem for us, but I understand that might not be the case for everyone. We'll need to upgrade Electron & apply the recommendation you linked. Until then, I'll add a link to this issue in the README.

Thank you!

shyiko commented 5 years ago

Fixed in 0.3.0.