Skip to content
This repository has been archived by the owner on May 18, 2024. It is now read-only.

[Bug]: Web Preferences, Navigation, and IPC Handling #1786

Closed
4 tasks done
masood opened this issue Oct 21, 2023 · 2 comments
Closed
4 tasks done

[Bug]: Web Preferences, Navigation, and IPC Handling #1786

masood opened this issue Oct 21, 2023 · 2 comments
Labels
bug Something isn't working needs-triage Awaiting triage. stale Issues that are no longer active.

Comments

@masood
Copy link

masood commented Oct 21, 2023

Preflight Checklist

Cider Version

1.6.2

What operating system are you using?

Ubuntu

Operating System Version

Ubuntu 22

Where did you download Cider from?

Microsoft Store

Describe the Bug

The Cider Desktop Application enables insecure web preferences on auth windows, and imposes incomplete restrictions on navigation. Finally, the application uses custom IPC messages but does not verify the sender of the message in the main process.

Steps to Reproduce

NodeIntegration

The app sets nodeIntegration:true and contextIsolation:false on Auth Window. This allows unrestricted access to node libraries (and the user’s system) and can override preloaded APIs. [Code Link]

Navigation

The app restricts opening new windows but allows loading “localhost” links. This will allow opening other apps and files hosted on any port on localhost and does not limit such actions to the links hosted by the app itself. [Code Link]

IPC Sender Verification

While the application uses custom IPC messages, it does not verify the sender of ALL messages while handling them in the main process. [Code Link]

Anything else?

Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
@masood masood added bug Something isn't working needs-triage Awaiting triage. labels Oct 21, 2023
@github-actions
Copy link

Support for Cider 1.0 is in a reduced state. Do not expect replies or acknowledgement for issues that do not break full functionality of the app (Media playback, plugin functionality etc.).

If you are interested in joining the Cider 2 open alpha, you can join our Discord here.

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

@github-actions github-actions bot added the stale Issues that are no longer active. label Nov 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working needs-triage Awaiting triage. stale Issues that are no longer active.
Projects
Cider - Bug Reports
Status: Completed 🚀
Milestone
No milestone
Development

No branches or pull requests
1 participant
@masood