diff options
author | Vendicated <vendicated@riseup.net> | 2022-10-03 19:17:54 +0200 |
---|---|---|
committer | Vendicated <vendicated@riseup.net> | 2022-10-03 19:17:54 +0200 |
commit | 8fe60971f5939876da1cf228a3bb27c0e627c5ac (patch) | |
tree | 01f0116c3f661a38ac376fce726cc44bfe7465e4 | |
parent | 71a59f4020c089fcff1d20fb0bff00f765c83500 (diff) | |
download | Vencord-8fe60971f5939876da1cf228a3bb27c0e627c5ac.tar.gz Vencord-8fe60971f5939876da1cf228a3bb27c0e627c5ac.tar.bz2 Vencord-8fe60971f5939876da1cf228a3bb27c0e627c5ac.zip |
security: remove openPath, restrict openExternal
Now only allows opening http urls.
-rw-r--r-- | src/components/Settings.tsx | 2 | ||||
-rw-r--r-- | src/ipcMain/index.ts | 15 | ||||
-rw-r--r-- | src/utils/IpcEvents.ts | 2 |
3 files changed, 15 insertions, 4 deletions
diff --git a/src/components/Settings.tsx b/src/components/Settings.tsx index bc44e26..d4a3dca 100644 --- a/src/components/Settings.tsx +++ b/src/components/Settings.tsx @@ -88,7 +88,7 @@ export default ErrorBoundary.wrap(function Settings() { Launch Directory </Button> <Button - onClick={() => VencordNative.ipc.invoke(IpcEvents.OPEN_PATH, settingsDir, "quickCss.css")} + onClick={() => VencordNative.ipc.invoke(IpcEvents.OPEN_QUICKCSS)} size={Button.Sizes.SMALL} disabled={settingsDir === "Loading..."} > diff --git a/src/ipcMain/index.ts b/src/ipcMain/index.ts index 92d25fe..22f05fd 100644 --- a/src/ipcMain/index.ts +++ b/src/ipcMain/index.ts @@ -29,8 +29,19 @@ function readSettings() { // Fix for screensharing in Electron >= 17 ipcMain.handle(IpcEvents.GET_DESKTOP_CAPTURE_SOURCES, (_, opts) => desktopCapturer.getSources(opts)); -ipcMain.handle(IpcEvents.OPEN_PATH, (_, ...pathElements) => shell.openPath(join(...pathElements))); -ipcMain.handle(IpcEvents.OPEN_EXTERNAL, (_, url) => shell.openExternal(url)); +ipcMain.handle(IpcEvents.OPEN_QUICKCSS, () => shell.openPath(QUICKCSS_PATH)); + +ipcMain.handle(IpcEvents.OPEN_EXTERNAL, (_, url) => { + try { + var { protocol } = new URL(url); + } catch { + throw "Malformed URL"; + } + if (protocol !== "https:" && protocol !== "http:") + throw "Disallowed protocol."; + + shell.openExternal(url); +}); ipcMain.handle(IpcEvents.GET_QUICK_CSS, () => readCss()); diff --git a/src/utils/IpcEvents.ts b/src/utils/IpcEvents.ts index 3ceaa9f..b96abdc 100644 --- a/src/utils/IpcEvents.ts +++ b/src/utils/IpcEvents.ts @@ -18,7 +18,7 @@ export default strEnum({ GET_SETTINGS: "VencordGetSettings", SET_SETTINGS: "VencordSetSettings", OPEN_EXTERNAL: "VencordOpenExternal", - OPEN_PATH: "VencordOpenPath", + OPEN_QUICKCSS: "VencordOpenQuickCss", GET_UPDATES: "VencordGetUpdates", GET_REPO: "VencordGetRepo", GET_HASHES: "VencordGetHashes", |