Skip to content

Commit

Permalink
feat(App): Add security checks for external URLs
Browse files Browse the repository at this point in the history
  • Loading branch information
adlk committed Mar 5, 2019
1 parent 38dde19 commit 6e5531a
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 2 deletions.
6 changes: 6 additions & 0 deletions src/config.js
Expand Up @@ -62,3 +62,9 @@ export const SETTINGS_PATH = path.join(app.getPath('userData'), 'config');

// Replacing app.asar is not beautiful but unforunately necessary
export const DICTIONARY_PATH = asarPath(path.join(__dirname, 'dictionaries'));

export const ALLOWED_PROTOCOLS = [
'https:',
'http:',
'ftp:',
];
15 changes: 15 additions & 0 deletions src/helpers/url-helpers.js
@@ -0,0 +1,15 @@
import { URL } from 'url';

import { ALLOWED_PROTOCOLS } from '../config';

const debug = require('debug')('Franz:Helpers:url');

export function isValidExternalURL(url) {
const parsedUrl = new URL(url);

const isAllowed = ALLOWED_PROTOCOLS.includes(parsedUrl.protocol);

debug('protocol check is', isAllowed, 'for:', url);

return isAllowed;
}
6 changes: 5 additions & 1 deletion src/index.js
Expand Up @@ -34,6 +34,7 @@ import {
DEFAULT_WINDOW_OPTIONS,
} from './config';
import { asarPath } from './helpers/asar-helpers';
import { isValidExternalURL } from './helpers/url-helpers';
/* eslint-enable import/first */

const debug = require('debug')('Franz:App');
Expand Down Expand Up @@ -294,7 +295,10 @@ const createWindow = () => {
mainWindow.webContents.on('new-window', (e, url) => {
debug('Open url', url);
e.preventDefault();
shell.openExternal(url);

if (isValidExternalURL(url)) {
shell.openExternal(url);
}
});
};

Expand Down
11 changes: 10 additions & 1 deletion src/stores/AppStore.js
Expand Up @@ -8,6 +8,7 @@ import { getDoNotDisturb } from '@meetfranz/electron-notification-state';
import AutoLaunch from 'auto-launch';
import prettyBytes from 'pretty-bytes';
import ms from 'ms';
import { URL } from 'url';

import Store from './lib/Store';
import Request from './lib/Request';
Expand All @@ -19,6 +20,7 @@ import { onVisibilityChange } from '../helpers/visibility-helper';
import { getLocale } from '../helpers/i18n-helpers';

import { getServiceIdsFromPartitions, removeServicePartitionDirectory } from '../helpers/service-helpers.js';
import { isValidExternalURL } from '../helpers/url-helpers';

const debug = require('debug')('Franz:AppStore');

Expand Down Expand Up @@ -256,7 +258,14 @@ export default class AppStore extends Store {
}
@action _openExternalUrl({ url }) {
shell.openExternal(url);
const parsedUrl = new URL(url);
debug('open external url', parsedUrl);
if (isValidExternalURL(url)) {
shell.openExternal(url);
}
gaEvent('External URL', 'open', parsedUrl.host);
}
@action _checkForUpdates() {
Expand Down

0 comments on commit 6e5531a

Please sign in to comment.