Potential Command Execution vulnerabilities introduced by main-preload.js #856
Assignees
Labels
assigned to core 🦹
Issues are taken care of by the core team actively
security issue 🔑
Issue concerns Boostnote's security. Usually high priority.
Comments
Rokt33r
added
the
security issue 🔑
|
Thanks for reporting. For now, it is okay since we're using the method with safe URLs only. So it won't cause any problems unless a user executing an arbitrary script from dev tools. But I'll make it safer for the case that someone makes a mistake. @Komediruzecki This could be problematic for the local app since links in the markdown previewer are using this method without any URL filtering. |
Rokt33r
added
the
assigned to core 🦹
|
Fixed by BoostIO/BoostNote.next-local#39 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
We found that
static/main-preload.jsintroduces dangerous API openShellExternal for arbitrary access on unsafe renderer process.This may lead to remote command execution.
We suggest that a URL check should be enforced at L15, which enforces an allowlist on trusted URLs.
https://github.com/BoostIO/BoostNote.next/blob/a467dcb960531953040f26d09bd59a90c37a002e/static/main-preload.js#L14-L17
The text was updated successfully, but these errors were encountered: