You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 18, 2024. It is now read-only.
The Cider Desktop Application enables insecure web preferences on auth windows, and imposes incomplete restrictions on navigation. Finally, the application uses custom IPC messages but does not verify the sender of the message in the main process.
Steps to Reproduce
NodeIntegration
The app sets nodeIntegration:true and contextIsolation:false on Auth Window. This allows unrestricted access to node libraries (and the user’s system) and can override preloaded APIs. [Code Link]
Navigation
The app restricts opening new windows but allows loading “localhost” links. This will allow opening other apps and files hosted on any port on localhost and does not limit such actions to the links hosted by the app itself. [Code Link]
IPC Sender Verification
While the application uses custom IPC messages, it does not verify the sender of ALL messages while handling them in the main process. [Code Link]
Anything else?
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
The text was updated successfully, but these errors were encountered:
Support for Cider 1.0 is in a reduced state. Do not expect replies or acknowledgement for issues that do not break full functionality of the app (Media playback, plugin functionality etc.).
If you are interested in joining the Cider 2 open alpha, you can join our Discord here.
Preflight Checklist
Cider Version
1.6.2
What operating system are you using?
Ubuntu
Operating System Version
Ubuntu 22
Where did you download Cider from?
Microsoft Store
Describe the Bug
The Cider Desktop Application enables insecure web preferences on auth windows, and imposes incomplete restrictions on navigation. Finally, the application uses custom IPC messages but does not verify the sender of the message in the main process.
Steps to Reproduce
NodeIntegration
The app sets
nodeIntegration:true
andcontextIsolation:false
on Auth Window. This allows unrestricted access to node libraries (and the user’s system) and can override preloaded APIs. [Code Link]Navigation
The app restricts opening new windows but allows loading “localhost” links. This will allow opening other apps and files hosted on any port on localhost and does not limit such actions to the links hosted by the app itself. [Code Link]
IPC Sender Verification
While the application uses custom IPC messages, it does not verify the sender of ALL messages while handling them in the main process. [Code Link]
Anything else?
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
The text was updated successfully, but these errors were encountered: