Handling links passed to `shell.openExternal()` and Electron.js Version

[masood]

Summary:

Thank you for designing the F-Curator Desktop Application and making it open source and available. The application adds an event listener that prevents opening new windows, the sanitization is performed before creating links. However, as a precaution, it will also be helpful to sanitize URLs before passing them to the underlying system. Additionally, the application does not use an event listener to prevent in-app navigation within the same window. Moreover, the application can benefit from an update to the underlying Electron.js version.

Platform(s) Affected:

MacOS, Windows

Steps To Reproduce:

1. Open the F-Curator Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
3. [In-app Navigation] Within the console, enter window.location=”https://attacker.com/”. The application window navigates to the third-party site.
4. [Run Sensitive Executable Files] Alternatively, within the console, enter window.open(“file:///Applications/Emacs.app/Contents/MacOS/Emacs”). An alternative would be to check window.open(“file:///Applications/Safari.app/Contents/MacOS/Safari”) which opens the Safari browser. The application passes the link to the underlying system which opens the executable file if one exists at the path. While this is currently prevented by restricting the links that users can add to the application, it will be useful to add a check before passing the links to shell.openExternal().
5. [Localhost Files] Finally, while opening links similar to http://localhost:8315/ will pass the links as is to the system. If another application uses that port, it can be triggered from the F-Curator Application. It will be helpful to prevent adding localhost links.
6. [Electron.js Version] Finally, the current version of Excel Parser depends on Electron v20.3.3 which is vulnerable to numerous CVEs. [Example] The app can benefit from an update to the framework version that fixes numerous security issues. [Link]

–
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago

[xizon]

Thank you very much. Due to my work, I haven’t had time to deal with it. It currently meets daily and no new functions have been added. I will improve it in the future.