JS: Add ElectronShellOpenExternalSink class for Electron framework security #4546
Conversation
Add ElectronShellOpenExternalSink class to detect untrusted input interpreted by `openExternal` function call in `electron` module. Based on the #14 Electron Security checklist: https://www.electronjs.org/docs/tutorial/security#14-do-not-use-openexternal-with-untrusted-content
|
Here is an example to test the query.
|
|
Hi @toufik-airane 👋 Thanks for the contribution! I was a bit perplexed when you linked to PR #14, which also added some Electron support, but I'm guessing that was a coincidence. I think it would be better suited for the ClientSideUrlRedirect query, because the attacker must be able to control the URL scheme. As it stands we'll get FPs from code like: shell.openExternal('https://google.com?q=' + tainted_value)This is similar to code execution via the |
Move the class ElectronShellOpenExternalSink to ClientSideUrlRedirect.qll. It's been to be a more appropriate location.
|
Dear @asgerf, My bad, the link to PR #14 was a mistake! 😱 However, I'm not sure that will succeed to detect the issue. Indeed, when I scan my example with the |
|
Thanks! I'll help add some tests on Monday. Most of the JavaScript queries don't consider command-line arguments to be a source of untrusted input, so that's probably why your example wasn't flagged out of the box. |
|
I've opened a PR against your fork with a test case. |
There was a problem hiding this comment.
Well, better to merge the PR like this than leave it hanging indefinitely. I'll add the test in another PR.
Thanks for the contribution @toufik-airane!
Add
ElectronShellOpenExternalSinkclass to detect untrusted input interpreted byopenExternalfunction call fromelectronmodule in Electron framework for Node.js.Based on the Electron Security checklist:
https://www.electronjs.org/docs/tutorial/security#14-do-not-use-openexternal-with-untrusted-content