security: confine FILE_READ and FILE_LIST to user home directory#60
security: confine FILE_READ and FILE_LIST to user home directory#60yoziv wants to merge 1 commit into
Conversation
FILE_READ and FILE_LIST IPC handlers previously accepted any path from the renderer, allowing a compromised renderer to read any file or enumerate any directory on the system. Now restricts to the user home directory (and WSL paths for WSL terminals). Part of InbarR#54 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Thanks for this! One concern before merging: Functional regression: home-dir confinement breaks the directory picker. Suggested alternative:
Also edge cases in the current logic:
Leaving open until scope is settled. |
|
Closing without merging. Reasoning: Regression risk - the allowlist relies on Low marginal value - the threat model is "compromised renderer reads arbitrary files". A compromised renderer already has PTY access, so it can Noting item 2 of #54 as "accepted risk, covered by existing PTY confinement requirement" rather than leaving it open indefinitely. Thanks for the patch anyway - the edge cases you handled (path.sep sibling bypass, Windows case) were all on point and they informed the #58 variant that did land. |
Pure-function tests (run without Electron packaging): - PR InbarR#53/InbarR#56: extractLinkFromHtml + unwrapSafelinks (16 tests) Extracted to src/renderer/utils/link-extract.ts, shared by TerminalPanel.tsx and DetachedApp.tsx (deduplication) - PR InbarR#57: path traversal guard (10 tests) Extracted to src/main/utils/security-guards.ts - PR InbarR#58: OPEN_PATH extension blocklist (28 tests) - PR InbarR#60: WSL distro name validation (9 tests) E2E tests (require npm run package): - PR InbarR#75: session rename propagates to pane title - PR InbarR#13: minimum pane size enforcement - PR InbarR#14: DEC focus sequence injection on pane switch - PR InbarR#9: ShortcutsHelp escape in capture phase - PR InbarR#10: pane title doesn't overlap terminal content - PR InbarR#8: shifted key character in Ctrl+Shift+/ binding Also extracts duplicated link-extract functions from TerminalPanel.tsx and DetachedApp.tsx into a shared utility. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Pure-function tests (run without Electron packaging): - PR #53/#56: extractLinkFromHtml + unwrapSafelinks (16 tests) Extracted to src/renderer/utils/link-extract.ts, shared by TerminalPanel.tsx and DetachedApp.tsx (deduplication) - PR #57: path traversal guard (10 tests) Extracted to src/main/utils/security-guards.ts - PR #58: OPEN_PATH extension blocklist (28 tests) - PR #60: WSL distro name validation (9 tests) E2E tests (require npm run package): - PR #75: session rename propagates to pane title - PR #13: minimum pane size enforcement - PR #14: DEC focus sequence injection on pane switch - PR #9: ShortcutsHelp escape in capture phase - PR #10: pane title doesn't overlap terminal content - PR #8: shifted key character in Ctrl+Shift+/ binding Also extracts duplicated link-extract functions from TerminalPanel.tsx and DetachedApp.tsx into a shared utility. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2 participants
Summary
FILE_READandFILE_LISTIPC handlers previously accepted any path from the renderer, allowing a compromised renderer to read any file or enumerate any directory on the system. This change restricts filesystem access to the user's home directory (and WSL UNC paths for WSL terminals).Changes
IPC.FILE_LIST: Addedpath.resolve()+os.homedir()prefix check beforefs.readdirSync. WSL paths (\\\\wsl.localhost\\) are allowed.IPC.FILE_READ: Addedpath.resolve()+os.homedir()prefix check beforefs.statSync. WSL paths (//wsl.localhost/) are allowed.Both handlers return early (empty array / null) for paths outside the allowed prefixes.
Part of #54