Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Arbitrary filesystem manipulation vulnerability introduced by IPC exposure
See original GitHub issueDescribe the Bug Hi,
Great work!
We did a security analysis and found that app/lib/preload.js directly expose risky ipcRenderer instance to unsafe renderer process, which enables a remote attacker to abuse sensitive methods in the main process by crafting malicious ipc message.
I notice that the app has already disabled node integration in unsafe renderers(https://github.com/camunda/camunda-modeler/commit/92ba66d3e7ae85130b71cf7fc869b2066aadf67f), which is good. However, such direct IPC export may re-expose many sensitive primitives to the attacker.
Here is the exposure site. https://github.com/camunda/camunda-modeler/blob/a5874345f259188b39bd6b2448a64e238fa700bb/app/lib/preload.js#L27-L37
By sending a message to file:write channel. The attacker may read and write malicious content to the user filesystem.
https://github.com/camunda/camunda-modeler/blob/6f1497c41917bc12bb2e44b3fa3c49b36f32ee72/app/lib/index.js#L186-L194
Expected Behavior I could think of two possible solutions:
- enforce security checks when receiving events on sensitive channels (e.g., file read/write).
- avoid directly exposing
ipcRendererto untrusted domains.
Ref. CVE-2021-28154
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
We take our applications security seriously, follow Electron security best practices and carefully examine the impact of reported vulnerabilities. So thanks again for approaching us and getting back in a timely manner.
Your bug report explicitly states that arbitrary file system manipulation is possible by remote attackers / when rendering untrusted pages in the render process.
We validated our initial assessment and can confirm that this is not the case. As mentioned only trusted content is being loaded into the render process. Measures outlined by the Electron security best practices prevent any untrusted websites or scripts from being opened, included or accessed. Any break in that trust model (XSS, include of a remote resource) is a serious security thread that we will handle with care.
We will consider actions to further harden the security as you suggested. Our app is an editor for local files and accessing arbitrary files is a feature. We cannot get rid of file system access easily, unfortunately.
With https://github.com/camunda/camunda-modeler/pull/2155, we remove the access to
window.getAppPreloadas soon as the client part of the app is loaded. Still, we cannot remove access to the file system viaipcRendereras it’s in the essence of the local files editor.