diff options
author | Kristóf Marussy <kristof@marussy.com> | 2022-01-27 17:43:00 +0100 |
---|---|---|
committer | Kristóf Marussy <kristof@marussy.com> | 2022-02-08 21:43:17 +0100 |
commit | ef297c029946031b063890233b9aa9eb607dbb60 (patch) | |
tree | 7a941613a969cd6597ed236f065eaf4af9b12c93 /packages/main/src | |
parent | refactor: Extract resource path management (diff) | |
download | sophie-ef297c029946031b063890233b9aa9eb607dbb60.tar.gz sophie-ef297c029946031b063890233b9aa9eb607dbb60.tar.zst sophie-ef297c029946031b063890233b9aa9eb607dbb60.zip |
refactor: Extract main window hardening
This code is security critical, so it should be properly extracted to
enable testing.
Signed-off-by: Kristóf Marussy <kristof@marussy.com>
Diffstat (limited to 'packages/main/src')
-rw-r--r-- | packages/main/src/index.ts | 57 | ||||
-rw-r--r-- | packages/main/src/infrastructure/electron/impl/hardenSession.ts | 87 | ||||
-rw-r--r-- | packages/main/src/infrastructure/electron/impl/lockWebContentsToFile.ts | 59 |
3 files changed, 151 insertions, 52 deletions
diff --git a/packages/main/src/index.ts b/packages/main/src/index.ts index 128ae35..2072017 100644 --- a/packages/main/src/index.ts +++ b/packages/main/src/index.ts | |||
@@ -22,7 +22,6 @@ | |||
22 | import { readFileSync } from 'node:fs'; | 22 | import { readFileSync } from 'node:fs'; |
23 | import { readFile } from 'node:fs/promises'; | 23 | import { readFile } from 'node:fs/promises'; |
24 | import { arch } from 'node:os'; | 24 | import { arch } from 'node:os'; |
25 | import { URL } from 'node:url'; | ||
26 | 25 | ||
27 | import { | 26 | import { |
28 | ServiceToMainIpcMessage, | 27 | ServiceToMainIpcMessage, |
@@ -41,11 +40,12 @@ import { getSnapshot, onAction, onPatch } from 'mobx-state-tree'; | |||
41 | import osName from 'os-name'; | 40 | import osName from 'os-name'; |
42 | 41 | ||
43 | import { | 42 | import { |
44 | DEVMODE_ALLOWED_URL_PREFIXES, | ||
45 | enableStacktraceSourceMaps, | 43 | enableStacktraceSourceMaps, |
46 | installDevToolsExtensions, | 44 | installDevToolsExtensions, |
47 | openDevToolsWhenReady, | 45 | openDevToolsWhenReady, |
48 | } from './infrastructure/electron/impl/devTools'; | 46 | } from './infrastructure/electron/impl/devTools'; |
47 | import hardenSession from './infrastructure/electron/impl/hardenSession'; | ||
48 | import lockWebContentsToFile from './infrastructure/electron/impl/lockWebContentsToFile'; | ||
49 | import getDistResources from './infrastructure/resources/impl/getDistResources'; | 49 | import getDistResources from './infrastructure/resources/impl/getDistResources'; |
50 | import initReactions from './initReactions'; | 50 | import initReactions from './initReactions'; |
51 | import { createMainStore } from './stores/MainStore'; | 51 | import { createMainStore } from './stores/MainStore'; |
@@ -128,32 +128,6 @@ initReactions(store) | |||
128 | log.log('Failed to initialize application', error); | 128 | log.log('Failed to initialize application', error); |
129 | }); | 129 | }); |
130 | 130 | ||
131 | const rendererBaseURL = resources.getRendererURL('/'); | ||
132 | function shouldCancelMainWindowRequest(url: string, method: string): boolean { | ||
133 | if (method !== 'GET') { | ||
134 | return true; | ||
135 | } | ||
136 | let normalizedURL: string; | ||
137 | try { | ||
138 | normalizedURL = new URL(url).toString(); | ||
139 | } catch { | ||
140 | return true; | ||
141 | } | ||
142 | if ( | ||
143 | isDevelopment && | ||
144 | DEVMODE_ALLOWED_URL_PREFIXES.some((prefix) => | ||
145 | normalizedURL.startsWith(prefix), | ||
146 | ) | ||
147 | ) { | ||
148 | return false; | ||
149 | } | ||
150 | const isHttp = normalizedURL.startsWith(rendererBaseURL); | ||
151 | const isWs = normalizedURL.startsWith( | ||
152 | rendererBaseURL.replace(/^http:/, 'ws:'), | ||
153 | ); | ||
154 | return !isHttp && !isWs; | ||
155 | } | ||
156 | |||
157 | async function createWindow(): Promise<unknown> { | 131 | async function createWindow(): Promise<unknown> { |
158 | mainWindow = new BrowserWindow({ | 132 | mainWindow = new BrowserWindow({ |
159 | show: false, | 133 | show: false, |
@@ -169,29 +143,7 @@ async function createWindow(): Promise<unknown> { | |||
169 | 143 | ||
170 | webContents.userAgent = originalUserAgent; | 144 | webContents.userAgent = originalUserAgent; |
171 | 145 | ||
172 | webContents.session.setPermissionRequestHandler( | 146 | hardenSession(resources, isDevelopment, webContents.session); |
173 | (_webContents, _permission, callback) => { | ||
174 | callback(false); | ||
175 | }, | ||
176 | ); | ||
177 | |||
178 | webContents.session.webRequest.onBeforeRequest( | ||
179 | ({ url, method }, callback) => { | ||
180 | callback({ | ||
181 | cancel: shouldCancelMainWindowRequest(url, method), | ||
182 | }); | ||
183 | }, | ||
184 | ); | ||
185 | |||
186 | const pageURL = resources.getRendererURL('index.html'); | ||
187 | |||
188 | webContents.on('will-navigate', (event, url) => { | ||
189 | if (url !== pageURL) { | ||
190 | event.preventDefault(); | ||
191 | } | ||
192 | }); | ||
193 | |||
194 | webContents.setWindowOpenHandler(() => ({ action: 'deny' })); | ||
195 | 147 | ||
196 | if (isDevelopment) { | 148 | if (isDevelopment) { |
197 | openDevToolsWhenReady(mainWindow); | 149 | openDevToolsWhenReady(mainWindow); |
@@ -211,6 +163,7 @@ async function createWindow(): Promise<unknown> { | |||
211 | }); | 163 | }); |
212 | 164 | ||
213 | browserView.webContents.userAgent = userAgent; | 165 | browserView.webContents.userAgent = userAgent; |
166 | |||
214 | autorun(() => { | 167 | autorun(() => { |
215 | browserView.setBounds(store.browserViewBounds); | 168 | browserView.setBounds(store.browserViewBounds); |
216 | }); | 169 | }); |
@@ -350,7 +303,7 @@ async function createWindow(): Promise<unknown> { | |||
350 | log.error('Failed to load browser', error); | 303 | log.error('Failed to load browser', error); |
351 | }); | 304 | }); |
352 | 305 | ||
353 | return mainWindow.loadURL(pageURL); | 306 | return lockWebContentsToFile(resources, 'index.html', webContents); |
354 | } | 307 | } |
355 | 308 | ||
356 | app.on('second-instance', () => { | 309 | app.on('second-instance', () => { |
diff --git a/packages/main/src/infrastructure/electron/impl/hardenSession.ts b/packages/main/src/infrastructure/electron/impl/hardenSession.ts new file mode 100644 index 0000000..71d8148 --- /dev/null +++ b/packages/main/src/infrastructure/electron/impl/hardenSession.ts | |||
@@ -0,0 +1,87 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2022 Kristóf Marussy <kristof@marussy.com> | ||
3 | * | ||
4 | * This file is part of Sophie. | ||
5 | * | ||
6 | * Sophie is free software: you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU Affero General Public License as | ||
8 | * published by the Free Software Foundation, version 3. | ||
9 | * | ||
10 | * This program is distributed in the hope that it will be useful, | ||
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
13 | * GNU Affero General Public License for more details. | ||
14 | * | ||
15 | * You should have received a copy of the GNU Affero General Public License | ||
16 | * along with this program. If not, see <https://www.gnu.org/licenses/>. | ||
17 | * | ||
18 | * SPDX-License-Identifier: AGPL-3.0-only | ||
19 | */ | ||
20 | |||
21 | import { URL } from 'node:url'; | ||
22 | |||
23 | import type { Session } from 'electron'; | ||
24 | |||
25 | import { getLogger } from '../../../utils/log'; | ||
26 | import type Resources from '../../resources/Resources'; | ||
27 | |||
28 | import { DEVMODE_ALLOWED_URL_PREFIXES } from './devTools'; | ||
29 | |||
30 | const log = getLogger('hardenSession'); | ||
31 | |||
32 | /** | ||
33 | * Hardens a session to prevent loading resources outside the renderer resources and | ||
34 | * to reject all permission requests. | ||
35 | * | ||
36 | * In dev mode, installation of extensions and opening the devtools will be allowed. | ||
37 | * | ||
38 | * @param resources The resource handle associated with the paths and URL of the application. | ||
39 | * @param devMode Whether the application is in development mode. | ||
40 | * @param session The session to harden. | ||
41 | */ | ||
42 | export default function hardenSession( | ||
43 | resources: Resources, | ||
44 | devMode: boolean, | ||
45 | session: Session, | ||
46 | ): void { | ||
47 | session.setPermissionRequestHandler((_webContents, _permission, callback) => { | ||
48 | callback(false); | ||
49 | }); | ||
50 | |||
51 | const rendererBaseURL = resources.getRendererURL('/'); | ||
52 | log.debug('Renderer base URL:', rendererBaseURL); | ||
53 | |||
54 | const webSocketBaseURL = rendererBaseURL.replace(/^http(s)?:/, 'ws$1:'); | ||
55 | log.debug('WebSocket base URL:', webSocketBaseURL); | ||
56 | |||
57 | function shouldCancelRequest(url: string, method: string): boolean { | ||
58 | if (method !== 'GET') { | ||
59 | return true; | ||
60 | } | ||
61 | let normalizedURL: string; | ||
62 | try { | ||
63 | normalizedURL = new URL(url).toString(); | ||
64 | } catch { | ||
65 | return true; | ||
66 | } | ||
67 | if ( | ||
68 | devMode && | ||
69 | DEVMODE_ALLOWED_URL_PREFIXES.some((prefix) => | ||
70 | normalizedURL.startsWith(prefix), | ||
71 | ) | ||
72 | ) { | ||
73 | return false; | ||
74 | } | ||
75 | const isHttp = normalizedURL.startsWith(rendererBaseURL); | ||
76 | const isWs = normalizedURL.startsWith(webSocketBaseURL); | ||
77 | return !isHttp && !isWs; | ||
78 | } | ||
79 | |||
80 | session.webRequest.onBeforeRequest(({ url, method }, callback) => { | ||
81 | const cancel = shouldCancelRequest(url, method); | ||
82 | if (cancel) { | ||
83 | log.error('Prevented loading', method, url); | ||
84 | } | ||
85 | callback({ cancel }); | ||
86 | }); | ||
87 | } | ||
diff --git a/packages/main/src/infrastructure/electron/impl/lockWebContentsToFile.ts b/packages/main/src/infrastructure/electron/impl/lockWebContentsToFile.ts new file mode 100644 index 0000000..6b458e0 --- /dev/null +++ b/packages/main/src/infrastructure/electron/impl/lockWebContentsToFile.ts | |||
@@ -0,0 +1,59 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2022 Kristóf Marussy <kristof@marussy.com> | ||
3 | * | ||
4 | * This file is part of Sophie. | ||
5 | * | ||
6 | * Sophie is free software: you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU Affero General Public License as | ||
8 | * published by the Free Software Foundation, version 3. | ||
9 | * | ||
10 | * This program is distributed in the hope that it will be useful, | ||
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
13 | * GNU Affero General Public License for more details. | ||
14 | * | ||
15 | * You should have received a copy of the GNU Affero General Public License | ||
16 | * along with this program. If not, see <https://www.gnu.org/licenses/>. | ||
17 | * | ||
18 | * SPDX-License-Identifier: AGPL-3.0-only | ||
19 | */ | ||
20 | |||
21 | import { WebContents } from 'electron'; | ||
22 | |||
23 | import { getLogger } from '../../../utils/log'; | ||
24 | import type Resources from '../../resources/Resources'; | ||
25 | |||
26 | const log = getLogger('lockWebContentsToFile'); | ||
27 | |||
28 | /** | ||
29 | * Loads the specified file in the webContents and prevent navigating away. | ||
30 | * | ||
31 | * Both navigating away to a different URL and opening a new window will be disallowed. | ||
32 | * | ||
33 | * @param resources The resource handle associated with the paths and URL of the application. | ||
34 | * @param filePath The path to the file in the render package to load. | ||
35 | * @param webContents The webContents to lock. | ||
36 | */ | ||
37 | export default function lockWebContentsToFile( | ||
38 | resources: Resources, | ||
39 | filePath: string, | ||
40 | webContents: WebContents, | ||
41 | ): Promise<void> { | ||
42 | const pageURL = resources.getRendererURL(filePath); | ||
43 | |||
44 | webContents.setWindowOpenHandler(() => ({ action: 'deny' })); | ||
45 | |||
46 | webContents.on('will-navigate', (event, url) => { | ||
47 | if (url !== pageURL) { | ||
48 | log.error( | ||
49 | 'Prevented webContents locked to', | ||
50 | pageURL, | ||
51 | 'from navigating to', | ||
52 | url, | ||
53 | ); | ||
54 | event.preventDefault(); | ||
55 | } | ||
56 | }); | ||
57 | |||
58 | return webContents.loadURL(pageURL); | ||
59 | } | ||