Skip to content
Permalink
Browse files

feat(App): Add security checks for external URLs

  • Loading branch information...
adlk committed Mar 5, 2019
1 parent 38dde19 commit 6e5531ae16d69087856ce7f174ba465bc759394c
Showing with 36 additions and 2 deletions.
  1. +6 −0 src/config.js
  2. +15 −0 src/helpers/url-helpers.js
  3. +5 −1 src/index.js
  4. +10 −1 src/stores/AppStore.js
@@ -62,3 +62,9 @@ export const SETTINGS_PATH = path.join(app.getPath('userData'), 'config');

// Replacing app.asar is not beautiful but unforunately necessary
export const DICTIONARY_PATH = asarPath(path.join(__dirname, 'dictionaries'));

export const ALLOWED_PROTOCOLS = [
'https:',
'http:',
'ftp:',
];
@@ -0,0 +1,15 @@
import { URL } from 'url';

import { ALLOWED_PROTOCOLS } from '../config';

const debug = require('debug')('Franz:Helpers:url');

export function isValidExternalURL(url) {
const parsedUrl = new URL(url);

const isAllowed = ALLOWED_PROTOCOLS.includes(parsedUrl.protocol);

debug('protocol check is', isAllowed, 'for:', url);

return isAllowed;
}
@@ -34,6 +34,7 @@ import {
DEFAULT_WINDOW_OPTIONS,
} from './config';
import { asarPath } from './helpers/asar-helpers';
import { isValidExternalURL } from './helpers/url-helpers';
/* eslint-enable import/first */

const debug = require('debug')('Franz:App');
@@ -294,7 +295,10 @@ const createWindow = () => {
mainWindow.webContents.on('new-window', (e, url) => {
debug('Open url', url);
e.preventDefault();
shell.openExternal(url);

if (isValidExternalURL(url)) {
shell.openExternal(url);
}
});
};

@@ -8,6 +8,7 @@ import { getDoNotDisturb } from '@meetfranz/electron-notification-state';
import AutoLaunch from 'auto-launch';
import prettyBytes from 'pretty-bytes';
import ms from 'ms';
import { URL } from 'url';

import Store from './lib/Store';
import Request from './lib/Request';
@@ -19,6 +20,7 @@ import { onVisibilityChange } from '../helpers/visibility-helper';
import { getLocale } from '../helpers/i18n-helpers';

import { getServiceIdsFromPartitions, removeServicePartitionDirectory } from '../helpers/service-helpers.js';
import { isValidExternalURL } from '../helpers/url-helpers';

const debug = require('debug')('Franz:AppStore');

@@ -256,7 +258,14 @@ export default class AppStore extends Store {
}

@action _openExternalUrl({ url }) {
shell.openExternal(url);
const parsedUrl = new URL(url);
debug('open external url', parsedUrl);

if (isValidExternalURL(url)) {
shell.openExternal(url);
}

gaEvent('External URL', 'open', parsedUrl.host);
}

@action _checkForUpdates() {

0 comments on commit 6e5531a

Please sign in to comment.
You can’t perform that action at this time.