PROTOCOL_HANDLER_JS_CHECK
Anthony Trummer edited this page Jan 6, 2022
·
3 revisions
Electron allows defining custom protocol handlers so that the application can use deep linking to exercise specific features. Since external protocol handlers can be triggered by arbitrary origins, it is important to evaluate how they are implemented and whether user-supplied parameters can lead to security vulnerabilities (e.g., injection flaws).
The use of custom protocol handlers opens the application to vulnerabilities triggered by users clicking on, or abitrary origins forcing navigation to, malicious links.
To register a custom protocol handler, it is necessary to use one of the following functions:
- setAsDefaultProtocolClient
- registerStandardSchemes
- registerServiceWorkerSchemes
- registerFileProtocol
- registerHttpProtocol
- registerStringProtocol
- registerBufferProtocol
- registerStreamProtocol
Our check searches for those occurrences. You should manually review the implementation of each of them.
- https://electronjs.org/docs/all#appsetasdefaultprotocolclientprotocol-path-args
- https://electronjs.org/docs/all#protocolregisterstandardschemesschemes-options
- https://electronjs.org/docs/all#protocolregisterserviceworkerschemesschemes
- https://electronjs.org/docs/all#protocolregisterfileprotocolscheme-handler-completion
- https://electronjs.org/docs/all#protocolregisterstringprotocolscheme-handler-completion
- https://electronjs.org/docs/all#protocolregisterhttpprotocolscheme-handler-completion
- https://electronjs.org/docs/all#protocolregisterstreamprotocolscheme-handler-completion
- https://electronjs.org/docs/all#protocolregisterbufferprotocolscheme-handler-completion