Security review

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+
+## 1.0.1
+
+Reviewed security with:
+* [Electron Security](https://www.electronjs.org/docs/tutorial/security)
+* [Doyensec Electron Security Checklist](https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf)
+* [Quasar Electron Security Concerns](https://quasar.dev/quasar-cli/developing-electron-apps/electron-security-concerns)
+
+
+
 ## 1.0.0
 
 Initial version

bbcode/parser.ts

@@ -127,9 +127,8 @@ export class BBCodeParser {
             isAllowed = (name) => self.isAllowed(name) && parentAllowed(name);
             currentTag = this._currentTag = {tag: self.tag, line: this._line, column: this._column};
         }
-        let tagStart = -1, paramStart = -1, mark = start;
 
-        // @ts-ignore
+        let tagStart = -1, paramStart = -1, mark = start;
         let depth = 0;
 
         for(let i = start; i < input.length; ++i) {

chat/preview/ImagePreview.vue

@@ -13,8 +13,11 @@
         <webview
             preload="./preview/assets/browser.pre.js"
             src="about:blank"
-            nodeintegration
+            webpreferences="autoplayPolicy=no-user-gesture-required,contextIsolation,sandbox,disableDialogs,disableHtmlFullScreenWindowResize,enableWebSQL=no,nodeIntegration=no"
-            webpreferences="allowRunningInsecureContent, autoplayPolicy=no-user-gesture-required"
+            enableremotemodule="false"
+            allowpopups="false"
+            nodeIntegration="false"
+
             id="image-preview-ext"
             ref="imagePreviewExt"
             class="image-preview-external"

chat/preview/assets/browser.pre.js

@@ -2,13 +2,35 @@
  * This script is injected on every web page ImagePreview loads
  */
 
+const { ipcRenderer, contextBridge } = require('electron');
+
+function cleanValue(val) {
+    // overkill, contextBridge already does this; just here to throw
+    return JSON.parse(JSON.stringify(val));
+}
+
+contextBridge.exposeInMainWorld(
+    'rising',
+    {
+        sendToHost: (channel, ...args) => {
+            const cleanedArgs = args.map(v => cleanValue(v));
+            const cleanedChannel = cleanValue(channel);
+
+            console.log('REAL.IPC', cleanedChannel, cleanedArgs);
+
+            ipcRenderer.sendToHost(cleanedChannel, ...cleanedArgs);
+        }
+    }
+);
+
+
 const previewInitiationTime = Date.now();
 
-window.onload = () => console.log('window.onload', `${(Date.now() - previewInitiationTime)/1000}s`);
+// window.onload = () => console.log('window.onload', `${(Date.now() - previewInitiationTime)/1000}s`);
-window.onloadstart = () => console.log('window.onloadstart', `${(Date.now() - previewInitiationTime)/1000}s`);
+// window.onloadstart = () => console.log('window.onloadstart', `${(Date.now() - previewInitiationTime)/1000}s`);
-window.onloadend = () => console.log('window.onloadend', `${(Date.now() - previewInitiationTime)/1000}s`);
+// window.onloadend = () => console.log('window.onloadend', `${(Date.now() - previewInitiationTime)/1000}s`);
-window.addEventListener('DOMContentLoaded', () => (console.log('window.DOMContentLoaded', `${(Date.now() - previewInitiationTime)/1000}s`)));
+// window.addEventListener('DOMContentLoaded', () => (console.log('window.DOMContentLoaded', `${(Date.now() - previewInitiationTime)/1000}s`)));
-setTimeout(() => (console.log('Timeout', `${(Date.now() - previewInitiationTime)/1000}s`)), 0); // ---- Note that clear() below could break this
+// setTimeout(() => (console.log('Timeout', `${(Date.now() - previewInitiationTime)/1000}s`)), 0); // ---- Note that clear() below could break this
 
 
 (() => {

chat/preview/assets/browser.processor.raw.js

@@ -36,9 +36,11 @@ class FListImagePreviewDomMutator {
         this.body = document.querySelector('body');
         this.html = document.querySelector('html');
 
-        this.ipcRenderer = (typeof require !== 'undefined')
+        this.ipcRenderer = {
-            ? require('electron').ipcRenderer
+            sendToHost: ((window) && (window.rising) && (window.rising.sendToHost))
-            : { sendToHost: (...args) => (this.debug('ipc.sendToHost', ...args)) };
+                ? window.rising.sendToHost
+                : (...args) => (this.debug('MOCK.ipc.sendToHost', ...args))
+        };
 
         this.preprocess();
 

chat/preview/test-urls.txt

@@ -85,3 +85,6 @@
 Broken
 https://giphy.com/gifs/arianagrande-ariana-grande-thank-u-next-you-uldtLAK6tSOKP5PWw3
 
+https://redgifs.com/watch/grippingadvancedanteater
+https://morphsbymig.tumblr.com/post/621869669856542720/morphsbymig-denise-milani-the-job-interview
+https://66.media.tumblr.com/68d2754087907296dfc5f1c2567d6741/tumblr_pxf189SUrv1vu5oepo2_1280.jpg

electron/index.html

@@ -2,7 +2,7 @@
 <html lang="en">
 <head>
 	<meta charset="UTF-8">
-	<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src file: data: https://static.f-list.net; connect-src *">
+	<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' img-src file: data: https://static.f-list.net; connect-src *">
 	<title>F-Chat</title>
 	<link href="fa.css" rel="stylesheet">
 </head>

electron/window.html

@@ -2,7 +2,7 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-	<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://static.f-list.net">
+	<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' img-src https://static.f-list.net">
     <title>F-Chat</title>
     <link href="fa.css" rel="stylesheet">
 </head>