Electron app does not validate URLs on new windows and navigation #5284

eniolam1000752 · 2023-09-01T05:00:42Z

Actual behavior

Partially resolved in PR #5157. The issue was fixed by limiting new navigations for the localhost and lisk.com hostnames. However, the protocol of the URLis not checked, so URLs such as smb://localhost incorrectly pass this check. We recommend also ensuring that the protocol is https. Furthermore, the catch block of handleRedirect function does not have a call to e.preventDefault(), which may allow other bypasses (we did not attempt to exploit this).

eniolam1000752 added the type: bug label Sep 1, 2023

eniolam1000752 added this to the Sprint 107 milestone Sep 1, 2023

eniolam1000752 self-assigned this Sep 1, 2023

eniolam1000752 mentioned this issue Sep 1, 2023

Bug fix: Electron app does not validate URLs on new windows and navigation #5287

Merged

1 task

ManuGowda changed the title ~~TOB-LISK-56: Electron app does not validate URLs on new windows and navigation~~ Electron app does not validate URLs on new windows and navigation Sep 4, 2023

ManuGowda closed this as completed Sep 4, 2023

ManuGowda added the type: security label Sep 4, 2023

sridharmeganathan mentioned this issue Sep 12, 2023

Prepare Lisk Desktop v3.0.0 for rc #4363

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Electron app does not validate URLs on new windows and navigation #5284

Electron app does not validate URLs on new windows and navigation #5284

eniolam1000752 commented Sep 1, 2023

Electron app does not validate URLs on new windows and navigation #5284

Electron app does not validate URLs on new windows and navigation #5284

Comments

eniolam1000752 commented Sep 1, 2023

Actual behavior