White list IPC calls in preload.js instead of directly exposing window.ipcRenderer

[kewde]

Description

https://github.com/lightninglabs/lightning-app/blob/master/apps/desktop/main.dev.js#L128
NodeJS (nodeIntegration) is not disabled, this gives the JavaScript (loaded by the HTML files) in the renderer process full control over the system.

The Chromium sandbox is also disabled by default, I suggest enabling it but this may require architectural changes. I've created a comprehensive tutorial and boilerplate example on how to create a secure electron application.

[bryanvu]

Thanks @kewde. I've disabled nodeIntegration. I read through your tutorial, and it seems to me that implementing proper sandboxing will require a pretty major rewrite, as we currently make extensive use of gRPC calls to lnd. My limited understanding is that to do proper sandboxing, we'd have to route those through the main process, correct? If so, it's definitely something we'll keep in mind for future versions.

[kewde]

@tanx

You'll want to add a filter to the preload script to prevent the renderer process from communicating over non-whitelisted channels. Electron features internal channels that are quite powerful and would still allow remote code execution.
https://github.com/kewde/electron-sandbox-boilerplate/blob/master/sandbox-preload-simple/preload-simple.js#L28-L43

Here's an example of a filtered ipcRenderer.
https://github.com/kewde/electron-sandbox-boilerplate/blob/master/sandbox-preload-extended/electron/renderer/preload-extended.js