[BUG] Handling URLs passed to shell.openExternal()

[masood]

Summary:

While the Electron App Store Desktop Application opens links outside of the app by passing them to the system’s default browser, it does not sanitize these URLs, which can result in the execution of sensitive files on the user’s system.

Platform(s) Affected:

MacOS, Linux, Windows

Steps To Reproduce:

1. Open the Electron App Store Desktop Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.

2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.

3. [Trigger Open External] Within the console, attempt to open a new window, say window.open(“file:///path/to/file”), e.g., window.open(“file:///Applications/Emacs.app/Contents/MacOS/Emacs”). The file at the given path is opened. If this file is an executable, it is run by the system.

Additionally, updating the application’s Electron.js version can help get it up to date with security fixes and use secure defaults. [Link]

--

Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago