Potential Command Execution vulnerabilities introduced by main-preload.js #856
Labels
assigned to core 🦹
Issues are taken care of by the core team actively
security issue 🔑
Issue concerns Boostnote's security. Usually high priority.
Hi,
We found that
static/main-preload.jsintroduces dangerous API openShellExternal for arbitrary access on unsafe renderer process.This may lead to remote command execution.
We suggest that a URL check should be enforced at L15, which enforces an allowlist on trusted URLs.
https://github.com/BoostIO/BoostNote.next/blob/a467dcb960531953040f26d09bd59a90c37a002e/static/main-preload.js#L14-L17
The text was updated successfully, but these errors were encountered: