/electronegativity

DANGEROUS_FUNCTIONS_JS_CHECK

Jump to bottom
Luca Carettoni edited this page Jan 16, 2019 · 1 revision

DANGEROUS_FUNCTIONS_JS_CHECK - Do not use dangerous functions with user-supplied data

insertCSS, executeJavaScript functions allow to inject respectively CSS and JavaScript from the main process to the renderer process. Also, eval allows JavaScript execution in the context of a BrowserWindowProxy. If the arguments are user-supplied, they can be leveraged to execute arbitrary content and modify the application behavior. This check detects the use of dangerous functions with dynamic arguments, and delegates the review to the user.

Risk

In a vulnerable application, a remote page could leverage these functions to subvert the flow of the application by injecting malicious CSS or JavaScript.

Auditing

Search for occurrences of insertCSS, executeJavaScript and eval with user-supplied input in both BrowserWindow, webview tag and all other JavaScript resources.

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.