Improper Link Sanitization can result in execution of sensitive local files on the user's system

[masood]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Thank you for designing the GDevelop Desktop Application and for making the source code available. While the application does a great job of preventing in-app navigation and opens links outside of the app by passing them to the system’s default browser, it does not sanitize these URLs, which can result in the execution of sensitive files on the user’s system.

Steps to reproduce

1. Open the GDevelop Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
3. [Access Sensitive File] Within the console, update the location, say, window.location = “file:///Applications/Emacs.app/Contents/MacOS/Emacs”. The file at the given path is opened. If this file is an executable, it is run by the system.

If a link were to be opened within the application, a user will have that sensitive file (if it exists), executed on their system.

GDevelop platform

Desktop

GDevelop version

5.3.180

Platform info

OS (e.g. Windows, Linux, macOS, Android, iOS)

Windows, Linux, macOS

Additional context

--
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago