fix(security): extend IPC sender validation to ipcMain.on channels#2387
Merged
gregpriday merged 1 commit intodevelopfrom Feb 27, 2026
Merged
Conversation
- Patch ipcMain.on to validate event.senderFrame.url against trusted origins before executing fire-and-forget handlers; untrusted messages are silently dropped with a console.warn - Maintain a per-channel listener map so ipcMain.removeListener/off can resolve the wrapped function from the original listener reference, preserving cleanup semantics in all handler files - Patch ipcMain.removeListener to look up and remove wrapped versions - Alias ipcMain.off to the patched removeListener - Patch ipcMain.removeAllListeners to clear map entries; use explicit undefined check so empty-string channel names are handled correctly Closes #2374
gregpriday
deleted the
feature/issue-2374-extend-ipc-sender-validation
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends
enforceIpcSenderValidation()inelectron/main.tsto cover allipcMain.onfire-and-forget channels, closing the security gap identified in #2374.Closes #2374
Changes Made
ipcMain.onto wrap every registered listener with a sender validation check againstisTrustedRendererUrl; messages from untrusted origins are silently dropped with aconsole.warn(fire-and-forget channels have no error return path)Map<channel, Map<originalListener, wrappedListener>>soipcMain.removeListenerandipcMain.offcan resolve the correct wrapped function — preserving cleanup semantics across all handler files without requiring changes to callersipcMain.removeListenerto look up and remove the wrapped version from the EventEmitter when a mapped entry existsipcMain.offto the patchedremoveListeneripcMain.removeAllListenersto clear map entries; uses explicitchannel !== undefinedguard so empty-string channel names are handled correctly