We found that preload.js introduces dangerous API openShellExternal for arbitrary access on unsafe renderer process.
This may lead to remote command execution.
We suggest that a URL check should be enforced at L15, which enforces an allowlist on trusted urls.
Makes sense. A validUrl function which check against a list of urls can be a solution. If you are interested to add this, PRs are welcomed for it. I'll look into it. Thank you 😄
Hi,
We found that
preload.jsintroduces dangerous API openShellExternal for arbitrary access on unsafe renderer process.This may lead to remote command execution.
We suggest that a URL check should be enforced at L15, which enforces an allowlist on trusted urls.
clipper/preload.js
Lines 14 to 16 in d133fde
The text was updated successfully, but these errors were encountered: