Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

electron: only allow browser-window #7205

Merged
merged 1 commit into from
Feb 25, 2020
Merged

electron: only allow browser-window #7205

merged 1 commit into from
Feb 25, 2020

Conversation

paul-marechal
Copy link
Member

What it does

Only allow http request from Electron's own browser-window. Token is
generated within electron-main, which also sets it as a cookie within
browser-windows. Token is passed to the backend via environment
variables. The backend is looking for this specific token to authorize
requests.

How to test

Everything should keep working when running Electron. Make sure we can also display html previews. You should not be able to load http://localhost:<dynamic-port> in your browser anymore.

Review checklist

Reminder for reviewers

@paul-marechal paul-marechal added the electron issues related to the electron target label Feb 24, 2020
@akosyakov akosyakov added the security issues related to security label Feb 24, 2020
@akosyakov
Copy link
Member

It works! Cool!
Screenshot 2020-02-24 at 21 16 32

I wonder whether it is possible to enable security for ws upgrade request on express level, not on level of ws? If not I think the current solution is alright, we just should say that MessagingContribution should be always used in Theia, not a custom ws endpoints. Otherwise it will cause security issues for electron.

@akosyakov
Copy link
Member

akosyakov commented Feb 24, 2020

@marechal-p Could you reference a relevant bugzilla please? i.e. https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747

@akosyakov akosyakov requested a review from thegecko February 24, 2020 20:23
@paul-marechal paul-marechal force-pushed the mp/mini-browser branch 2 times, most recently from 9a0a909 to 2af89f6 Compare February 25, 2020 02:41
Copy link
Member

@akosyakov akosyakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It works good for me. Please look at comments though.

Only allow http request from Electron's own browser-window. Token is
generated within electron-main, which also sets it as a cookie within
browser-windows. Token is passed to the backend via environment
variables. The backend is looking for this specific token to authorize
requests.

Fixes https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747

Signed-off-by: Paul Maréchal <[email protected]>
@paul-marechal paul-marechal merged commit b212d07 into master Feb 25, 2020
@paul-marechal paul-marechal deleted the mp/mini-browser branch February 25, 2020 22:52
}

isTokenValid(token: ElectronSecurityToken): boolean {
return typeof token === 'object' && token.value === this.electronSecurityToken!.value;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer a constant-time comparison algorithm here to prevent timing attacks (e.g. crypto.timingSafeEqual https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
electron issues related to the electron target security issues related to security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants