-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add electronegativity #1202
add electronegativity #1202
Conversation
skipTaskbar: process.platform !== 'linux', | ||
webPreferences: { | ||
...webPreferences, | ||
preload: path.resolve(process.env.BUNDLE_LOCATION, 'bridge.js'), |
Check notice
Code scanning / Electronegativity
Review the use of preload scripts
scrollBounce: true, | ||
navigateOnDragDrop: false, | ||
disableBlinkFeatures: 'Auxclick', | ||
preload: path.resolve('./main/windows/viewPreload.js'), |
Check notice
Code scanning / Electronegativity
Review the use of preload scripts
} | ||
}) | ||
|
||
viewInstance.webContents.on('will-navigate', (e) => e.preventDefault()) |
Check notice
Code scanning / Electronegativity
Evaluate the implementation of the custom callback in the .on new-window and will-navigate events
@@ -1,12 +1,24 @@ | |||
<html> | |||
<head> | |||
<meta charset='utf-8' /> | |||
<meta http-equiv='Content-Security-Policy' content="default-src 'self'; connect-src *; img-src blob: http://localhost:8421; style-src 'self' 'unsafe-inline'; frame-src 'none'; object-src 'none';"/> | |||
<meta |
Check warning
Code scanning / Electronegativity
One or more CSP directives detected are vulnerable
browserWindow.webContents.once('did-finish-load', () => { | ||
log.info(`Created ${name} renderer process, pid:`, browserWindow.webContents.getOSProcessId()) | ||
}) | ||
browserWindow.webContents.on('will-navigate', (e) => e.preventDefault()) // Prevent navigation |
Check notice
Code scanning / Electronegativity
Evaluate the implementation of the custom callback in the .on new-window and will-navigate events
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, just one minor issue
Warnings
One or more CSP directives detected are vulnerable
line 4 in dapp/dapp.html
default-src
withscript-src 'strict-dynamic' 'nonce-<nonce>'; base-uri 'self';
https
. If a user's machine is compromised to the extent where localhost can be accessed there will be worse problems. Ignored.require-trusted-types-for
Missing .on new-window navigation limit
file:///
False positive for LIMIT_NAVIGATION_GLOBAL_CHECK - doyensec/electronegativity#92 (comment) - Excluded in GA file
Search for dangerous runtime flags in the package.json file.
line 31 in package.json
line 36 in package.json
Complaining about node
--inspect
in dev scripts, ignoredLimit navigation flows to untrusted origins. Middle-click may cause Electron to open a link within a new window
Review the use of the contextIsolation option
Use sandbox for untrusted origins
line 110 in main/windows/index.ts
line 97 in main/windows/extractColors/index.ts
line 34 in main/windows/frames/frameInstances.ts
line 28 in main/windows/frames/viewInstances.ts
EN unable to directly link these options to where the BrowserWindows are initialised. Fixed by extracting BrowserWindow and BrowserView creation:
main/windows/index.ts
main/windows/extractColors/index.ts
main/windows/extractColors/index.ts
main/frames/frameInstances.ts
main/windows/frames/viewInstances.ts
Notes
One or more CSP directives detected seems to be vulnerable
line 4 in flow/flow.html
line 4 in dash/dash.html
line 4 in app/tray.html
Same as for
dapp/dapp.html
above.Review the use of openExternal
line 201 in main/index.ts
line 210 in main/index.ts
line 69 in main/updater/index.ts
line 289 in main/accounts/index.ts
Opening external links is limited to block explorer links, release pages for our updates and some white listed external assets. Can ignore, but we can condense the above notes by ensuring external links are only opened from a single file:
Review the use of preload scripts
line 99 in main/windows/extractColors/index.ts
line 47 in main/windows/frames/frameInstances.ts
line 30 in main/windows/frames/viewInstances.ts
We need preload scripts for the app to function. Now only set in the
main/windows/window.ts
file with the BrowserWindow / BrowserView init.TODO:
deps
and check EN output there