From 8fe60971f5939876da1cf228a3bb27c0e627c5ac Mon Sep 17 00:00:00 2001
From: Vendicated <vendicated@riseup.net>
Date: Mon, 3 Oct 2022 19:17:54 +0200
Subject: security: remove openPath, restrict openExternal

Now only allows opening http urls.
---
 src/ipcMain/index.ts | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'src/ipcMain/index.ts')

diff --git a/src/ipcMain/index.ts b/src/ipcMain/index.ts
index 92d25fe..22f05fd 100644
--- a/src/ipcMain/index.ts
+++ b/src/ipcMain/index.ts
@@ -29,8 +29,19 @@ function readSettings() {
 // Fix for screensharing in Electron >= 17
 ipcMain.handle(IpcEvents.GET_DESKTOP_CAPTURE_SOURCES, (_, opts) => desktopCapturer.getSources(opts));
 
-ipcMain.handle(IpcEvents.OPEN_PATH, (_, ...pathElements) => shell.openPath(join(...pathElements)));
-ipcMain.handle(IpcEvents.OPEN_EXTERNAL, (_, url) => shell.openExternal(url));
+ipcMain.handle(IpcEvents.OPEN_QUICKCSS, () => shell.openPath(QUICKCSS_PATH));
+
+ipcMain.handle(IpcEvents.OPEN_EXTERNAL, (_, url) => {
+    try {
+        var { protocol } = new URL(url);
+    } catch {
+        throw "Malformed URL";
+    }
+    if (protocol !== "https:" && protocol !== "http:")
+        throw "Disallowed protocol.";
+
+    shell.openExternal(url);
+});
 
 
 ipcMain.handle(IpcEvents.GET_QUICK_CSS, () => readCss());
-- 
cgit