fix(win/mac): Small security fixes for electron-updater (#6589)

* fix: Remove unnecessary escape for backticks for powershell * fix: make proxied file name more secure for MacUpdater
electron-userland · Jan 28, 2022 · 633ee5d · 633ee5d
1 parent c591eb3
commit 633ee5d
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/.changeset/neat-socks-dress.md b/.changeset/neat-socks-dress.md
@@ -0,0 +1,6 @@
+---
+"electron-updater": patch
+---
+
+- Removed backtick escaping for Windows code signing as it is unnecessary for Powershell and can cause the script to attempt to access the wrong file
+- Updated the proxy filename to be more secure (512-bit string)
diff --git a/packages/electron-updater/src/MacUpdater.ts b/packages/electron-updater/src/MacUpdater.ts
@@ -118,7 +118,7 @@ export class MacUpdater extends AppUpdater {
       const authInfo = Buffer.from(`autoupdater:${pass}`, "ascii")
 
       // insecure random is ok
-      const fileUrl = `/${Date.now().toString(16)}-${Math.floor(Math.random() * 9999).toString(16)}.zip`
+      const fileUrl = `/${randomBytes(64).toString("hex")}.zip`
       this.server!.on("request", (request: IncomingMessage, response: ServerResponse) => {
         const requestUrl = request.url!
         log.info(`${requestUrl} requested`)

diff --git a/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts b/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts
@@ -22,12 +22,11 @@ export function verifySignature(publisherNames: Array<string>, unescapedTempUpda
     // https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules?view=powershell-7
     // * Double quotes `"` are treated literally within single-quoted strings;
     // * Single quotes can be escaped by doubling them: 'don''t' -> don't;
-    // * Backticks can be escaped by doubling them: 'A backtick (``) character';
     //
     // Also note that at this point the file has already been written to the disk, thus we are
     // guaranteed that the path will not contain any illegal characters like <>:"/\|?*
     // https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file
-    const tempUpdateFile = unescapedTempUpdateFile.replace(/'/g, "''").replace(/`/g, "``")
+    const tempUpdateFile = unescapedTempUpdateFile.replace(/'/g, "''")
 
     // https://github.com/electron-userland/electron-builder/issues/2421
     // https://github.com/electron-userland/electron-builder/issues/2535