1zilc/fishing-funds

Link Sanitization before using `shell.openExternal()` and Limiting In-app Navigation

masood opened this issue · 1 comments

masood commented

Summary:

Thank you for designing the Fishing Funds Desktop Application and making it open source and available. The application adds an event listener that prevents opening new windows, but does not sanitize links before passing them to the user’s system. Additionally, the application does not use an event listener to prevent in-app navigation within the same window.

Platform(s) Affected:

MacOS, Windows, Linux

Steps To Reproduce:

  1. Open the Fishing Funds Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
  2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
  3. [In-app Navigation] Within the console, enter window.location=”https://attacker.com/”. The application window navigates to the third-party site.
  4. [Run Sensitive Executable Files] Alternatively, within the console, enter window.open(“file:///Applications/Emacs.app/Contents/MacOS/Emacs”). An alternative would be to check window.open(“file:///Applications/Safari.app/Contents/MacOS/Safari”) which opens the Safari browser. The application passes the link to the underlying system which opens the executable file if one exists at the path. While this is currently prevented by restricting the links that users can add to the application, it will be useful to add a check before passing the links to shell.openExternal().


Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago

1zilc commented

Thank you for your feedback, but I don't think this is a bug unless the user actively uses --remote-debugging-port to open Fishing Funds. Additionally, based on your steps, I am not able to effectively inspect the console.
image
Thank you again