aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVendicated <vendicated@riseup.net>2022-10-03 19:17:54 +0200
committerVendicated <vendicated@riseup.net>2022-10-03 19:17:54 +0200
commit8fe60971f5939876da1cf228a3bb27c0e627c5ac (patch)
tree01f0116c3f661a38ac376fce726cc44bfe7465e4
parent71a59f4020c089fcff1d20fb0bff00f765c83500 (diff)
downloadVencord-8fe60971f5939876da1cf228a3bb27c0e627c5ac.tar.gz
Vencord-8fe60971f5939876da1cf228a3bb27c0e627c5ac.tar.bz2
Vencord-8fe60971f5939876da1cf228a3bb27c0e627c5ac.zip
security: remove openPath, restrict openExternal
Now only allows opening http urls.
-rw-r--r--src/components/Settings.tsx2
-rw-r--r--src/ipcMain/index.ts15
-rw-r--r--src/utils/IpcEvents.ts2
3 files changed, 15 insertions, 4 deletions
diff --git a/src/components/Settings.tsx b/src/components/Settings.tsx
index bc44e26..d4a3dca 100644
--- a/src/components/Settings.tsx
+++ b/src/components/Settings.tsx
@@ -88,7 +88,7 @@ export default ErrorBoundary.wrap(function Settings() {
Launch Directory
</Button>
<Button
- onClick={() => VencordNative.ipc.invoke(IpcEvents.OPEN_PATH, settingsDir, "quickCss.css")}
+ onClick={() => VencordNative.ipc.invoke(IpcEvents.OPEN_QUICKCSS)}
size={Button.Sizes.SMALL}
disabled={settingsDir === "Loading..."}
>
diff --git a/src/ipcMain/index.ts b/src/ipcMain/index.ts
index 92d25fe..22f05fd 100644
--- a/src/ipcMain/index.ts
+++ b/src/ipcMain/index.ts
@@ -29,8 +29,19 @@ function readSettings() {
// Fix for screensharing in Electron >= 17
ipcMain.handle(IpcEvents.GET_DESKTOP_CAPTURE_SOURCES, (_, opts) => desktopCapturer.getSources(opts));
-ipcMain.handle(IpcEvents.OPEN_PATH, (_, ...pathElements) => shell.openPath(join(...pathElements)));
-ipcMain.handle(IpcEvents.OPEN_EXTERNAL, (_, url) => shell.openExternal(url));
+ipcMain.handle(IpcEvents.OPEN_QUICKCSS, () => shell.openPath(QUICKCSS_PATH));
+
+ipcMain.handle(IpcEvents.OPEN_EXTERNAL, (_, url) => {
+ try {
+ var { protocol } = new URL(url);
+ } catch {
+ throw "Malformed URL";
+ }
+ if (protocol !== "https:" && protocol !== "http:")
+ throw "Disallowed protocol.";
+
+ shell.openExternal(url);
+});
ipcMain.handle(IpcEvents.GET_QUICK_CSS, () => readCss());
diff --git a/src/utils/IpcEvents.ts b/src/utils/IpcEvents.ts
index 3ceaa9f..b96abdc 100644
--- a/src/utils/IpcEvents.ts
+++ b/src/utils/IpcEvents.ts
@@ -18,7 +18,7 @@ export default strEnum({
GET_SETTINGS: "VencordGetSettings",
SET_SETTINGS: "VencordSetSettings",
OPEN_EXTERNAL: "VencordOpenExternal",
- OPEN_PATH: "VencordOpenPath",
+ OPEN_QUICKCSS: "VencordOpenQuickCss",
GET_UPDATES: "VencordGetUpdates",
GET_REPO: "VencordGetRepo",
GET_HASHES: "VencordGetHashes",