Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add electronegativity #1202

Merged
merged 25 commits into from
Nov 29, 2022
Merged

add electronegativity #1202

merged 25 commits into from
Nov 29, 2022

Conversation

goosewobbler
Copy link
Contributor

@goosewobbler goosewobbler commented Nov 26, 2022
edited
Loading

  • Running Electronegativity on PR builds

Warnings

One or more CSP directives detected are vulnerable
line 4 in dapp/dapp.html

  • 'self' can be problematic if you host JSONP, Angular or user uploaded files
    • we host none of these, but should remove default-src in favour of more strict rules
    • Replace default-src with script-src 'strict-dynamic' 'nonce-<nonce>'; base-uri 'self';
  • Allow only resources downloaded over HTTPS. - 'img-src'
    • Local dapp server required to run over https. If a user's machine is compromised to the extent where localhost can be accessed there will be worse problems. Ignored.
  • Consider requiring Trusted Types for scripts to lock down DOM XSS injection sinks. You can do this by adding "require-trusted-types-for 'script'" to your policy.
    • add require-trusted-types-for

Missing .on new-window navigation limit
file:///

False positive for LIMIT_NAVIGATION_GLOBAL_CHECK - doyensec/electronegativity#92 (comment) - Excluded in GA file

Search for dangerous runtime flags in the package.json file.
line 31 in package.json
line 36 in package.json

Complaining about node --inspect in dev scripts, ignored

Limit navigation flows to untrusted origins. Middle-click may cause Electron to open a link within a new window
Review the use of the contextIsolation option
Use sandbox for untrusted origins
line 110 in main/windows/index.ts
line 97 in main/windows/extractColors/index.ts
line 34 in main/windows/frames/frameInstances.ts
line 28 in main/windows/frames/viewInstances.ts

EN unable to directly link these options to where the BrowserWindows are initialised. Fixed by extracting BrowserWindow and BrowserView creation:

  • extract BrowserWindow in main/windows/index.ts
  • extract BrowserWindow in main/windows/extractColors/index.ts
  • extract BrowserView in main/windows/extractColors/index.ts
  • extract BrowserWindow in main/frames/frameInstances.ts
  • extract BrowserView in main/windows/frames/viewInstances.ts

Notes

One or more CSP directives detected seems to be vulnerable
line 4 in flow/flow.html
line 4 in dash/dash.html
line 4 in app/tray.html

Same as for dapp/dapp.html above.

Review the use of openExternal
line 201 in main/index.ts
line 210 in main/index.ts
line 69 in main/updater/index.ts
line 289 in main/accounts/index.ts

Opening external links is limited to block explorer links, release pages for our updates and some white listed external assets. Can ignore, but we can condense the above notes by ensuring external links are only opened from a single file:

  • Open external links in one place

Review the use of preload scripts
line 99 in main/windows/extractColors/index.ts
line 47 in main/windows/frames/frameInstances.ts
line 30 in main/windows/frames/viewInstances.ts

We need preload scripts for the app to function. Now only set in the main/windows/window.ts file with the BrowserWindow / BrowserView init.

  • Set preload scripts in one place

TODO:

  • Address or ignore all raised warnings & notes
  • Verify production build
  • Post-merge: Rebase deps and check EN output there
    • address or ignore anything new

@goosewobbler goosewobbler added the WIP PRs that are still in progress and not ready for review or merging label Nov 26, 2022
@goosewobbler goosewobbler changed the base branch from develop to deps November 26, 2022 22:27
@goosewobbler goosewobbler changed the base branch from deps to develop November 26, 2022 22:28
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 27, 2022
View reviewed changes
main/windows/index.ts Fixed Show fixed Hide fixed
main/windows/index.ts Fixed Show fixed Hide fixed
main/windows/index.ts Fixed Show fixed Hide fixed
main/windows/frames/frameInstances.ts Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 27, 2022
View reviewed changes
main/windows/window.ts
skipTaskbar: process.platform !== 'linux',
webPreferences: {
...webPreferences,
preload: path.resolve(process.env.BUNDLE_LOCATION, 'bridge.js'),

Check notice

Code scanning / Electronegativity

Review the use of preload scripts

Review the use of preload scripts
main/windows/window.ts
scrollBounce: true,
navigateOnDragDrop: false,
disableBlinkFeatures: 'Auxclick',
preload: path.resolve('./main/windows/viewPreload.js'),

Check notice

Code scanning / Electronegativity

Review the use of preload scripts

Review the use of preload scripts
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 27, 2022
View reviewed changes
main/windows/window.ts
}
})

viewInstance.webContents.on('will-navigate', (e) => e.preventDefault())

Check notice

Code scanning / Electronegativity

Evaluate the implementation of the custom callback in the .on new-window and will-navigate events

Evaluate the implementation of the custom callback in the .on new-window and will-navigate events
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 28, 2022
View reviewed changes
dapp/dapp.html Fixed Show fixed Hide fixed
flow/flow.html Fixed Show fixed Hide fixed
dash/dash.html Fixed Show fixed Hide fixed
app/tray.html Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 28, 2022
View reviewed changes
dapp/dapp.html
@@ -1,12 +1,24 @@
<html>
<head>
<meta charset='utf-8' />
<meta http-equiv='Content-Security-Policy' content="default-src 'self'; connect-src *; img-src blob: http://localhost:8421; style-src 'self' 'unsafe-inline'; frame-src 'none'; object-src 'none';"/>
<meta

Check warning

Code scanning / Electronegativity

One or more CSP directives detected are vulnerable

One or more CSP directives detected are vulnerable
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 29, 2022
View reviewed changes
main/windows/window.ts
export function openExternal(url = '') {
if (isWhitelistedHost(url) || isValidReleasePage(url)) {
store.setDash({ showing: false })
shell.openExternal(url)

Check notice

Code scanning / Electronegativity

Review the use of openExternal

Review the use of openExternal
main/windows/window.ts Show resolved Hide resolved
@goosewobbler goosewobbler removed the WIP PRs that are still in progress and not ready for review or merging label Nov 29, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 29, 2022
View reviewed changes
main/windows/window.ts
browserWindow.webContents.once('did-finish-load', () => {
log.info(`Created ${name} renderer process, pid:`, browserWindow.webContents.getOSProcessId())
})
browserWindow.webContents.on('will-navigate', (e) => e.preventDefault()) // Prevent navigation

Check notice

Code scanning / Electronegativity

Evaluate the implementation of the custom callback in the .on new-window and will-navigate events

Evaluate the implementation of the custom callback in the .on new-window and will-navigate events
mholtzman
mholtzman requested changes Nov 29, 2022
View reviewed changes
Copy link
Collaborator

@mholtzman mholtzman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, just one minor issue

.github/workflows/compile-and-test.yml Outdated Show resolved Hide resolved
main/windows/window.ts Outdated Show resolved Hide resolved
mholtzman
mholtzman reviewed Nov 29, 2022
View reviewed changes
dash/App/Notify/index.js Outdated Show resolved Hide resolved
@goosewobbler goosewobbler merged commit db05852 into develop Nov 29, 2022
@goosewobbler goosewobbler deleted the electronegativity branch November 29, 2022 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mholtzman mholtzman mholtzman approved these changes

Assignees
No one assigned
Labels
security tooling
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@goosewobbler @mholtzman