feat(App): Add security checks for external URLs

adlk · adlk · commit 6e5531ae16d6 · 2019-03-05T16:20:40.000+01:00
diff --git a/src/config.js b/src/config.js
@@ -62,3 +62,9 @@ export const SETTINGS_PATH = path.join(app.getPath('userData'), 'config');
 
 // Replacing app.asar is not beautiful but unforunately necessary
 export const DICTIONARY_PATH = asarPath(path.join(__dirname, 'dictionaries'));
+
+export const ALLOWED_PROTOCOLS = [
+  'https:',
+  'http:',
+  'ftp:',
+];
diff --git a/src/helpers/url-helpers.js b/src/helpers/url-helpers.js
@@ -0,0 +1,15 @@
+import { URL } from 'url';
+
+import { ALLOWED_PROTOCOLS } from '../config';
+
+const debug = require('debug')('Franz:Helpers:url');
+
+export function isValidExternalURL(url) {
+  const parsedUrl = new URL(url);
+
+  const isAllowed = ALLOWED_PROTOCOLS.includes(parsedUrl.protocol);
+
+  debug('protocol check is', isAllowed, 'for:', url);
+
+  return isAllowed;
+}
diff --git a/src/index.js b/src/index.js
@@ -34,6 +34,7 @@ import {
   DEFAULT_WINDOW_OPTIONS,
 } from './config';
 import { asarPath } from './helpers/asar-helpers';
+import { isValidExternalURL } from './helpers/url-helpers';
 /* eslint-enable import/first */
 
 const debug = require('debug')('Franz:App');
@@ -294,7 +295,10 @@ const createWindow = () => {
   mainWindow.webContents.on('new-window', (e, url) => {
     debug('Open url', url);
     e.preventDefault();
-    shell.openExternal(url);
+
+    if (isValidExternalURL(url)) {
+      shell.openExternal(url);
+    }
   });
 };
 
diff --git a/src/stores/AppStore.js b/src/stores/AppStore.js
@@ -8,6 +8,7 @@ import { getDoNotDisturb } from '@meetfranz/electron-notification-state';
 import AutoLaunch from 'auto-launch';
 import prettyBytes from 'pretty-bytes';
 import ms from 'ms';
+import { URL } from 'url';
 
 import Store from './lib/Store';
 import Request from './lib/Request';
@@ -19,6 +20,7 @@ import { onVisibilityChange } from '../helpers/visibility-helper';
 import { getLocale } from '../helpers/i18n-helpers';
 
 import { getServiceIdsFromPartitions, removeServicePartitionDirectory } from '../helpers/service-helpers.js';
+import { isValidExternalURL } from '../helpers/url-helpers';
 
 const debug = require('debug')('Franz:AppStore');
 
@@ -256,7 +258,14 @@ export default class AppStore extends Store {
   }
 
   @action _openExternalUrl({ url }) {
-    shell.openExternal(url);
+    const parsedUrl = new URL(url);
+    debug('open external url', parsedUrl);
+
+    if (isValidExternalURL(url)) {
+      shell.openExternal(url);
+    }
+
+    gaEvent('External URL', 'open', parsedUrl.host);
   }
 
   @action _checkForUpdates() {
