You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary:
Thank you for designing the Image Optimizer Desktop Application making it open-source and available. The application does a great job of following secure practices. We list pointers of concern below that can help make the application more secure.
[Sanitizing URLs] The app uses shell.openExternal(url) based on an IPC message [Link]. It will be helpful to sanitize URLs and especially prevent file:// links from being passed and executed on the user’s system. [Link]
[Preventing In-app Navigation] Since the app does not need to support navigation, it will be useful to prevent all attempts at in-app navigation by adding a listener on will-navigate and a handler function on setWindowOpenHandler.
[Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js (v16.0.5) and Chromium which is vulnerable to numerous known V8 and Blink attacks. Upgrading to an even newer version will be a great idea as well [Link]
Thank you!
Platform(s) Affected:
MacOS
–
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
The text was updated successfully, but these errors were encountered:
Summary:
Thank you for designing the Image Optimizer Desktop Application making it open-source and available. The application does a great job of following secure practices. We list pointers of concern below that can help make the application more secure.
[Sanitizing URLs] The app uses
shell.openExternal(url)based on an IPC message [Link]. It will be helpful to sanitize URLs and especially preventfile://links from being passed and executed on the user’s system. [Link][Preventing In-app Navigation] Since the app does not need to support navigation, it will be useful to prevent all attempts at in-app navigation by adding a listener on
will-navigateand a handler function onsetWindowOpenHandler.[Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js (v16.0.5) and Chromium which is vulnerable to numerous known V8 and Blink attacks. Upgrading to an even newer version will be a great idea as well [Link]
Thank you!
Platform(s) Affected:
MacOS
–
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
The text was updated successfully, but these errors were encountered: