re-added src/ based on angular-electron

LICENSE

@@ -8,7 +8,7 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 
 
 =====================================================================================
-Reasonably Secure Electron - Copyright Bishop Fox - https://github.com/bishopfox/sliver
+Reasonably Secure Electron - Copyright Bishop Fox - https://github.com/bishopfox/
 
 
                     GNU GENERAL PUBLIC LICENSE

README.md

@@ -260,7 +260,7 @@ This exploit is an excellent example of the limitations of CSPs, a CSP _cannot_
 
 ### What's in a Name?
 
-A function by any other name could be so vulnerable. The flaws in both Signal and Bloodhound AD stemmed from the use of [React](https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml)'s `dangerouslySetInnerHTML` function, which despite its name is seemingly used with reckless abandon.
+A function by any other name could be so vulnerable. The flaws in both Signal and Bloodhound AD stemmed from the use of [React](https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml)'s `dangerouslySetInnerHTML` function, which despite its name is seemingly used with reckless abandon. Clearly the React developers didn't go far enough calling the function "dangerous" and should have chosen the equally appropriate name `iDoNotCareAboutSecurityPlzHackMe()`.
 
 All of the aforementioned bugs are at their core cross-site scripting vulnerabilities (XSS), which is a terrible name. Cross-site scripting is a actually a JavaScript _injection vulnerability_. All injection vulnerabilities occur when the "computer" cannot properly differentiate between what is data and what is an instruction, and subsequently allows an attacker to trick the "computer" into misinterpreting attacker-controlled data as instructions. This can be said about XSS, as well as SQL injection, command injection, etc. The core mechanics of all these vulnerabilities are actually the same, save for what the "computer" is.
 
@@ -342,15 +342,15 @@ But this has yet to be standardized, so it's more of a footnote on what's to com
 
 ![Angular Compiler](blog/images/angular-connect-0.png)
 
-This leaves no ambiguity for an attacker to construct an injection vulnerability, and is one of the main reasons it's so hard to find XSS vulnerabilities in Angular (2+) and React based applications. Since the templates are lexically parsed, the framework knows the exact context in which a given value will be used, and can implement the correct encoding and/or sanitization routines (`property('name', ctx.name)` in the example above). Well, at least the ones that don't use React's `dangerouslySetInnerHTML()` and Angular's counterpart [`bypassSecurityTrustHtml()`](https://angular.io/api/platform-browser/DomSanitizer#bypassSecurityTrustHtml).
+This leaves no ambiguity for an attacker to construct an injection vulnerability, and is one of the main reasons it's so hard to find XSS vulnerabilities in Angular (2+) and React based applications. Since the templates are lexically parsed, the framework knows the exact context in which a given value will be used, and can implement the correct encoding and/or sanitization routines: `property('name', ctx.name)` in the example above. Well, at least the applications that don't use React's `dangerouslySetInnerHTML()` and Angular's counterpart [`bypassSecurityTrustHtml()`](https://angular.io/api/platform-browser/DomSanitizer#bypassSecurityTrustHtml).
 
 This is our first an most important design choice when it comes to building our reasonably secure Electron application. We will __never__ directly interact with the DOM, and instead defer to Angular to handle that interaction for us. Additionally, we will __never__ call `bypassSecurityTrustHtml()` or any related function. By avoiding any direct interaction with the DOM, we make an attacker's job incredibly hard.
 
 ### Sandcastles in the Sky
 
 Next we must assume relying upon Angular/React will eventually fail, which is a pretty good bet. While our own code may adhere to the strict guidelines set forth, we have no assurance that the infinite depths of our `node_modules/` directory contains only safe code.
 
-Since a cross-site scripting vulnerability will result in the attacker's code executing in the same context as our own code, i.e. in the context of the DOM, we must impose limitations our own code. Electron can actually facilitate this, by default Electron applications have two or more processes: the 'main process' and one or more 'renderer' processes. The main process is a simple Node process like any other, using the Electron APIs this process creates the `BrowserWindow`s (the renderer processes), these processes communicate using inter-process communication (IPC):
+Since a cross-site scripting vulnerability will result in the attacker's code executing in the same context as our own code, i.e. in the context of the DOM, we must impose limitations our own code. Electron can actually facilitate this, by default Electron applications have two or more processes: the 'main process' and one or more 'renderer' processes. The main process is a simple Node process like any other, using the Electron APIs this process creates the `BrowserWindow`s (the renderer processes). The renderer processes communicate with the main process using [inter-process communication](https://electronjs.org/docs/api/ipc-main) (IPC) also provided by Electron:
 
 ```
 [ Main Process (Node) ] <--IPC--> [ Renderer Process (DOM) ]
@@ -375,7 +375,7 @@ const mainWindow = new BrowserWindow({
     nodeIntegrationInSubFrames: false,
     nativeWindowOpen: false,
     safeDialogs: true,
-    preload: path.join(__dirname, 'preload.js'), // We'll talk about this next
+    preload: path.join(__dirname, 'preload.js'),
   },
 });
 ```
@@ -386,16 +386,21 @@ These are largely taken directly from the Electron documentation, but I've edito
 * `webSecurity` - This flag disables the same origin policy (SOP), setting this to `false` will kill the kitten nearest to you.
 * `contextIsolation` - Whether to run Electron APIs and the specified preload script in a separate JavaScript context. This is disabled by default, but you should always set this to `true` to protect against prototype tampering.
 * `webviewTag` - Whether to enable the `<webview>` tag. These tags are exceedingly dangerous, you should always disable this feature.
-* `enableRemoteModule` - Whether to enable the [remote module](https://electronjs.org/docs/api/remote). This module is dangerous, and should be disabled whenever possible. A far safer approach to IPC is layed out herein.
+* `enableRemoteModule` - Whether to enable the [remote module](https://electronjs.org/docs/api/remote). This module is dangerous, and should be disabled whenever possible, we'll talk about a far safer approach to IPC in a bit.
 * `allowRunningInsecureContent` - Allow an https page to run JavaScript, CSS or plugins from http URLs. Default is `false`, but y'all go ahead and double tap this one.
 * `nodeIntegration` -  Whether handing a loaded gun the DOM. Always this to `false`. 
 * `nodeIntegrationInWorker` - Whether node integration is enabled in web workers. Default is `false`.
 * `nodeIntegrationInSubFrames` - Option for enabling Node support in sub-frames such as iframes and child windows, always set this to `false`.
 * `nativeWindowOpen` - Whether to use native `window.open()`, because what could go wrong? Defaults to `false`.
 * `safeDialogs` - Whether to enable browser style consecutive dialog protection. 
 
-There is no one flag to disable all of the Node integrations in the renderer process, so instead we must disable `nodeIntegration`, `nodeIntegrationInWorker`, `nodeIntegrationInSubFrames`, `webviewTag`, `enableRemoteModule`, and `nativeWindowOpen`. Then we enable `sandbox`,`contextIsolation`, and `webSecurity` to ensure any malicious code injected via XSS cannot easily escape the renderer process.
+There is no one flag to disable all of the Node integrations in the renderer process, so instead we must disable `nodeIntegration`, `nodeIntegrationInWorker`, `nodeIntegrationInSubFrames`, `webviewTag`, `enableRemoteModule`, and `nativeWindowOpen`. Then we enable `sandbox`,`contextIsolation`, and `webSecurity` to ensure any malicious code injected via XSS cannot easily escape the renderer process. As the [Electron Security documentation](https://electronjs.org/docs/tutorial/security) points out it's imperative to disable both `nodeIntegration` as well as enable `contextIsolation` to ensure we properly contain the renderer process. 
 
+Next we'll need to selectively re-enable some native functionality and expose it to the renderer process, otherwise we may as well just load the application in the browser. There are a few different ways we can selectively expose functionality to the DOM. The first way is using the `remote` module, but as the Electron documentation even points out this module is dangerous, and we've already disabled it so that's not an option. Electron provides another mechanism called the "preload script" that executes before the DOM is loaded and allows us to expose arbitrary JavaScript symbols to the DOM runtime, and with `contextIsolation` enable the preload script is somewhat safeguarded from tampering by the DOM code. T
+
+The preload script always has access to the NodeJS APIs and has access to the same `window` object as the DOM. The intention of this functionality is so that we can re-introduce Node symbols. However, giving the DOM code direct access to Node symbols is dangerous, and will likely lead to escape vectors. We could also expose custom symbols that perform validation of arguments and this is slightly more safe, but not ideal.
+
+Instead we can leverage the browser's `postMessage` API to allow the preload script and the DOM to communicate over an existing mechanism without exposing any of the privileged preload symbols or code directly to the DOM code. [Doyensec](https://blog.doyensec.com/2019/04/03/subverting-electron-apps-via-insecure-preload.html)
 
 ```
                              |------------- Renderer --------------|

angular.json

@@ -22,56 +22,12 @@
               "src/favicon.png",
               "src/favicon.icns",
               "src/favicon.256x256.png",
-              "src/favicon.512x512.png",
-              {
-                "glob": "require.js",
-                "input": "node_modules/requirejs/",
-                "output": "sliver-script/"
-              },
-              {
-                "glob": "protobuf.min.*",
-                "input": "node_modules/protobufjs/dist/",
-                "output": "sliver-script/"
-              },
-              {
-                "glob": "rxjs.umd.min.*",
-                "input": "node_modules/rxjs/bundles/",
-                "output": "sliver-script/"
-              },
-              {
-                "glob": "google-protobuf.js",
-                "input": "node_modules/google-protobuf/",
-                "output": "sliver-script/"
-              },
-              {
-                "glob": "**/*",
-                "input": "rpc/pb",
-                "output": "sliver-script/pb",
-                "ignore": ["*.ts", ".gitkeep"]
-              },
-              {
-                "glob": "api.js",
-                "input": "sliver-script/",
-                "output": "sliver-script/"
-              },
-              {
-                "glob": "**/*",
-                "input": "node_modules/monaco-editor",
-                "output": "assets/monaco-editor/"
-              }
+              "src/favicon.512x512.png"
             ],
             "styles": [
-              "./node_modules/xterm/dist/xterm.css",
-              "./node_modules/@angular/material/prebuilt-themes/indigo-pink.css",
-              "./node_modules/@fortawesome/fontawesome-free/css/all.min.css",
               "src/styles.scss"
             ],
-            "scripts": [
-              "./node_modules/xterm/dist/xterm.js",
-              "./node_modules/xterm/dist/addons/fit/fit.js",
-              "./node_modules/xterm/dist/addons/attach/attach.js",    
-              "./node_modules/moment/min/moment-with-locales.min.js"
-            ]
+            "scripts": []
           },
           "configurations": {
             "dev": {

electron-builder.json

@@ -1,5 +1,5 @@
 {
-  "productName": "sliver",
+  "productName": "rse",
 
   "directories": {
     "output": "release/"

main.ts

@@ -31,7 +31,6 @@ async function createMainWindow() {
   // Create the browser window.
   const gutterSize = 100;
   mainWindow = new BrowserWindow({
-    titleBarStyle: 'hidden',
     x: gutterSize,
     y: gutterSize,
     width: size.width - (gutterSize * 2),
@@ -60,7 +59,7 @@ async function createMainWindow() {
     mainWindow.show();
   });
 
-  mainWindow.loadURL(`${AppProtocol.scheme}://sliver/index.html`);
+  mainWindow.loadURL(`${AppProtocol.scheme}://app/index.html`);
   mainWindow.webContents.openDevTools();
 
   // Emitted when the window is closed.

package.json

@@ -1,14 +1,14 @@
 {
-  "name": "sliver-gui",
+  "name": "rse-gui",
   "version": "0.0.7",
   "description": "Cross-platform GUI for the Reasonably Secure Electron",
   "license": "GPLv3",
-  "homepage": "https://sliver.sh",
+  "homepage": "https://bishopfox.com/",
   "author": {
     "name": "moloch",
     "email": "jdemesy@bishopfox.com"
   },
-  "repository": "https://github.com/BishopFox/sliver",
+  "repository": "https://github.com/BishopFox/",
   "main": "main.js",
   "private": true,
   "scripts": {

preload.js

@@ -43,3 +43,5 @@ ipcRenderer.on('ipc', (_, msg) => {
     console.error(err);
   }
 });
+
+window.open = function(..._) {}

src/LICENSE.md

@@ -0,0 +1,7 @@
+Copyright 2018 - Maxime GRIS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

src/README.md

@@ -0,0 +1,108 @@
+[![Angular Logo](https://www.vectorlogo.zone/logos/angular/angular-icon.svg)](https://angular.io/) [![Electron Logo](https://www.vectorlogo.zone/logos/electronjs/electronjs-icon.svg)](https://electronjs.org/)
+
+[![Travis Build Status][build-badge]][build]
+[![Dependencies Status][dependencyci-badge]][dependencyci]
+[![Make a pull request][prs-badge]][prs]
+[![License](http://img.shields.io/badge/Licence-MIT-brightgreen.svg)](LICENSE.md)
+
+[![Watch on GitHub][github-watch-badge]][github-watch]
+[![Star on GitHub][github-star-badge]][github-star]
+[![Tweet][twitter-badge]][twitter]
+
+# Introduction
+
+Bootstrap and package your project with Angular 8 and Electron (Typescript + SASS + Hot Reload) for creating Desktop applications.
+
+Currently runs with:
+
+- Angular v8.2.8
+- Electron v6.0.10
+- Electron Builder v21.2.0
+
+With this sample, you can :
+
+- Run your app in a local development environment with Electron & Hot reload
+- Run your app in a production environment
+- Package your app into an executable file for Linux, Windows & Mac
+
+/!\ Angular 8.x CLI needs Node 10.9 or later to work.
+
+## Getting Started
+
+Clone this repository locally :
+
+``` bash
+git clone https://github.com/maximegris/angular-electron.git
+```
+
+Install dependencies with npm :
+
+``` bash
+npm install
+```
+
+There is an issue with `yarn` and `node_modules` that are only used in electron on the backend when the application is built by the packager. Please use `npm` as dependencies manager.
+
+
+If you want to generate Angular components with Angular-cli , you **MUST** install `@angular/cli` in npm global context.
+Please follow [Angular-cli documentation](https://github.com/angular/angular-cli) if you had installed a previous version of `angular-cli`.
+
+``` bash
+npm install -g @angular/cli
+```
+
+## To build for development
+
+- **in a terminal window** -> npm start
+
+Voila! You can use your Angular + Electron app in a local development environment with hot reload !
+
+The application code is managed by `main.ts`. In this sample, the app runs with a simple Angular App (http://localhost:4200) and an Electron window.
+The Angular component contains an example of Electron and NodeJS native lib import.
+You can disable "Developer Tools" by commenting `win.webContents.openDevTools();` in `main.ts`.
+
+## Included Commands
+
+|Command|Description|
+|--|--|
+|`npm run ng:serve:web`| Execute the app in the browser |
+|`npm run build`| Build the app. Your built files are in the /dist folder. |
+|`npm run build:prod`| Build the app with Angular aot. Your built files are in the /dist folder. |
+|`npm run electron:local`| Builds your application and start electron
+|`npm run electron:linux`| Builds your application and creates an app consumable on linux system |
+|`npm run electron:windows`| On a Windows OS, builds your application and creates an app consumable in windows 32/64 bit systems |
+|`npm run electron:mac`|  On a MAC OS, builds your application and generates a `.app` file of your application that can be run on Mac |
+
+**Your application is optimised. Only /dist folder and node dependencies are included in the executable.**
+
+## You want to use a specific lib (like rxjs) in electron main thread ?
+
+You can do this! Just by importing your library in npm dependencies (not devDependencies) with `npm install --save`. It will be loaded by electron during build phase and added to the final package. Then use your library by importing it in `main.ts` file. Easy no ?
+
+## Browser mode
+
+Maybe you want to execute the application in the browser with hot reload ? You can do it with `npm run ng:serve:web`.
+**Note that you can't use Electron or NodeJS native libraries in this case.** Please check `providers/electron.service.ts` to watch how conditional import of electron/Native libraries is done.
+
+## Branch & Packages version
+
+- Angular 4 & Electron 1 : Branch [angular4](https://github.com/maximegris/angular-electron/tree/angular4)
+- Angular 5 & Electron 1 : Branch [angular5](https://github.com/maximegris/angular-electron/tree/angular5)
+- Angular 6 & Electron 3 : Branch [angular6](https://github.com/maximegris/angular-electron/tree/angular6)
+- Angular 7 & Electron 3 : Branch [angular7](https://github.com/maximegris/angular-electron/tree/angular7)
+- Angular 8 & Electron 6 : (master)
+
+[build-badge]: https://travis-ci.org/maximegris/angular-electron.svg?branch=master
+[build]: https://travis-ci.org/maximegris/angular-electron
+[dependencyci-badge]: https://dependencyci.com/github/maximegris/angular-electron/badge
+[dependencyci]: https://dependencyci.com/github/maximegris/angular-electron
+[license-badge]: https://img.shields.io/badge/license-Apache2-blue.svg?style=flat
+[license]: https://github.com/maximegris/angular-electron/blob/master/LICENSE.md
+[prs-badge]: https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square
+[prs]: http://makeapullrequest.com
+[github-watch-badge]: https://img.shields.io/github/watchers/maximegris/angular-electron.svg?style=social
+[github-watch]: https://github.com/maximegris/angular-electron/watchers
+[github-star-badge]: https://img.shields.io/github/stars/maximegris/angular-electron.svg?style=social
+[github-star]: https://github.com/maximegris/angular-electron/stargazers
+[twitter]: https://twitter.com/intent/tweet?text=Check%20out%20angular-electron!%20https://github.com/maximegris/angular-electron%20%F0%9F%91%8D
+[twitter-badge]: https://img.shields.io/twitter/url/https/github.com/maximegris/angular-electron.svg?style=social