kittyfangs
/
fchat-rising
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security review

This commit is contained in:
Mr. Stallion 2020-06-28 16:09:18 -05:00
parent 90b40f3796
commit b02db49404
8 changed files with 53 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
CHANGELOG.md
View File

@ -1,5 +1,15 @@
# Changelog
## 1.0.1
Reviewed security with:
* [Electron Security](https://www.electronjs.org/docs/tutorial/security)
* [Doyensec Electron Security Checklist](https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf)
* [Quasar Electron Security Concerns](https://quasar.dev/quasar-cli/developing-electron-apps/electron-security-concerns)
## 1.0.0
Initial version

3
bbcode/parser.ts
View File

@ -127,9 +127,8 @@ export class BBCodeParser {
isAllowed = (name) => self.isAllowed(name) && parentAllowed(name);
currentTag = this._currentTag = {tag: self.tag, line: this._line, column: this._column};
}
let tagStart = -1, paramStart = -1, mark = start;
// @ts-ignore
let tagStart = -1, paramStart = -1, mark = start;
let depth = 0;
for(let i = start; i < input.length; ++i) {

7
chat/preview/ImagePreview.vue
View File

@ -13,8 +13,11 @@
<webview
preload="./preview/assets/browser.pre.js"
src="about:blank"
nodeintegration
webpreferences="allowRunningInsecureContent, autoplayPolicy=no-user-gesture-required"
webpreferences="autoplayPolicy=no-user-gesture-required,contextIsolation,sandbox,disableDialogs,disableHtmlFullScreenWindowResize,enableWebSQL=no,nodeIntegration=no"
enableremotemodule="false"
allowpopups="false"
nodeIntegration="false"
id="image-preview-ext"
ref="imagePreviewExt"
class="image-preview-external"

32
chat/preview/assets/browser.pre.js
View File

@ -2,13 +2,35 @@
* This script is injected on every web page ImagePreview loads
*/
const { ipcRenderer, contextBridge } = require('electron');
function cleanValue(val) {
// overkill, contextBridge already does this; just here to throw
return JSON.parse(JSON.stringify(val));
}
contextBridge.exposeInMainWorld(
'rising',
{
sendToHost: (channel, ...args) => {
const cleanedArgs = args.map(v => cleanValue(v));
const cleanedChannel = cleanValue(channel);
console.log('REAL.IPC', cleanedChannel, cleanedArgs);
ipcRenderer.sendToHost(cleanedChannel, ...cleanedArgs);
}
}
);
const previewInitiationTime = Date.now();
window.onload = () => console.log('window.onload', `${(Date.now() - previewInitiationTime)/1000}s`);
window.onloadstart = () => console.log('window.onloadstart', `${(Date.now() - previewInitiationTime)/1000}s`);
window.onloadend = () => console.log('window.onloadend', `${(Date.now() - previewInitiationTime)/1000}s`);
window.addEventListener('DOMContentLoaded', () => (console.log('window.DOMContentLoaded', `${(Date.now() - previewInitiationTime)/1000}s`)));
setTimeout(() => (console.log('Timeout', `${(Date.now() - previewInitiationTime)/1000}s`)), 0); // ---- Note that clear() below could break this
// window.onload = () => console.log('window.onload', `${(Date.now() - previewInitiationTime)/1000}s`);
// window.onloadstart = () => console.log('window.onloadstart', `${(Date.now() - previewInitiationTime)/1000}s`);
// window.onloadend = () => console.log('window.onloadend', `${(Date.now() - previewInitiationTime)/1000}s`);
// window.addEventListener('DOMContentLoaded', () => (console.log('window.DOMContentLoaded', `${(Date.now() - previewInitiationTime)/1000}s`)));
// setTimeout(() => (console.log('Timeout', `${(Date.now() - previewInitiationTime)/1000}s`)), 0); // ---- Note that clear() below could break this
(() => {

8
chat/preview/assets/browser.processor.raw.js
View File

@ -36,9 +36,11 @@ class FListImagePreviewDomMutator {
this.body = document.querySelector('body');
this.html = document.querySelector('html');
this.ipcRenderer = (typeof require !== 'undefined')
? require('electron').ipcRenderer
: { sendToHost: (...args) => (this.debug('ipc.sendToHost', ...args)) };
this.ipcRenderer = {
sendToHost: ((window) && (window.rising) && (window.rising.sendToHost))
? window.rising.sendToHost
: (...args) => (this.debug('MOCK.ipc.sendToHost', ...args))
};
this.preprocess();

3
chat/preview/test-urls.txt
View File

@ -85,3 +85,6 @@
Broken
https://giphy.com/gifs/arianagrande-ariana-grande-thank-u-next-you-uldtLAK6tSOKP5PWw3
https://redgifs.com/watch/grippingadvancedanteater
https://morphsbymig.tumblr.com/post/621869669856542720/morphsbymig-denise-milani-the-job-interview
https://66.media.tumblr.com/68d2754087907296dfc5f1c2567d6741/tumblr_pxf189SUrv1vu5oepo2_1280.jpg

2
electron/index.html
View File

@ -2,7 +2,7 @@
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src file: data: https://static.f-list.net; connect-src *">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' img-src file: data: https://static.f-list.net; connect-src *">
<title>F-Chat</title>
<link href="fa.css" rel="stylesheet">
</head>

2
electron/window.html
View File

@ -2,7 +2,7 @@
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://static.f-list.net">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' img-src https://static.f-list.net">
<title>F-Chat</title>
<link href="fa.css" rel="stylesheet">
</head>