You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary:
Thank you for designing the Gaucho Desktop Application and making it open source and available. The application is very useful in easing the use of commands during development and it understandably needs to enable preferences like nodeIntegration. We list pointers below that can help make the application more secure.
[IPC Messages]: Since the application uses custom IPC and allows navigation to arbitrary sites, it will be helpful to verify the sender of IPC messages before handling and responding to them in IPC Main. It currently associates some IPC calls with e.mainWindow which is great. Adopting a similar approach for other IPC calls will be helpful as well. [Link]
[Preventing Navigation and Device Access] While the application does not itself use this functionality, as a precaution, it will be helpful to (a) limit all navigation attempts by adding a listener on will-navigate and a handler on setWindowOpenHandler(); and (b) deny all requests to access the user’s device with setDevicePermissionHandler().
[Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js and Chromium which is vulnerable to numerous known V8 and Blink attacks. We observed an existing pull request for the same, which will be great for the app. [Link]
Thank you!
Platform(s) Affected:
Windows, Linux
–
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
The text was updated successfully, but these errors were encountered:
Summary:
Thank you for designing the Gaucho Desktop Application and making it open source and available. The application is very useful in easing the use of commands during development and it understandably needs to enable preferences like
nodeIntegration
. We list pointers below that can help make the application more secure.e.mainWindow
which is great. Adopting a similar approach for other IPC calls will be helpful as well. [Link]will-navigate
and a handler onsetWindowOpenHandler()
; and (b) deny all requests to access the user’s device withsetDevicePermissionHandler()
.Thank you!
Platform(s) Affected:
Windows, Linux
–
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
The text was updated successfully, but these errors were encountered: