CUSTOM_ARGUMENTS_JS_CHECK

Luca Carettoni edited this page Jan 16, 2019 · 1 revision

CUSTOM_ARGUMENTS_JS_CHECK - Review the use of command line arguments

With Electron, it is possible to programmatically insert command line arguments to modify the behavior of the framework foundation (LibChromiumcontent and Node.js) and Electron itself. For instance, setting the variable —proxy-server will force Chromium to use a specific proxy server, despite system settings. To debug JavaScript executed in the main process, Electron allows to attach an external debugger. This feature can be enabled using the --debug or --debug-brk command line switch. Additionally, the application can implement custom command line arguments.


Risk

The use of additional command line arguments can increase the application attack surface, disable security features or influence the overall security posture. For example, if Electron’s debugging is enabled, Electron will listen for V8 debugger protocol messages on the specified port. An attacker could leverage the external debugger to subvert the application at runtime

Auditing

Review all occurrences of appendArgument and appendSwitch:

const { app } = require('electron')
app.commandLine.appendArgument('debug')
app.commandLine.appendSwitch('proxy-server', '8080')

Additionally, search for custom arguments (e.g. --debug or --debug-brk) in the package.json file, and within the application codebase. This part of the check is not yet implemented (see https://github.com/doyensec/electronegativity/issues/22).

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.