Tezori icon indicating copy to clipboard operation
Tezori copied to clipboard

Published 20 hours ago verified publisher icon Cryptonomic

Ensure Electron security best practices are followed

Open vishakh opened this issue 6 years ago • 2 comments

The best practices for Electron security are listed at https://github.com/electron/electron/blob/master/docs/tutorial/security.md. We should ensure all steps listed there are followed in the wallet code.

vishakh avatar Jun 16 '18 03:06 vishakh

Summarizing from the link:

  • We do not load any remote content, for which this guide is most effective, so no actions were made to improve security based on this guide.
  • There are a lot of preventative measures, like disabling functions like eval(), but we're not using it anywhere in the code, so would it make more sense to run a check as a pull request is being merged? Is it necessary to do now?
  • What's not covered is screening input fields (e.g. putting <script>alert('hi')</script> or other javascript in input fields. Amounts (numbers only) and addresses (written a certain way) are validated, and passwords are loosely validated. We don't have any fields for which information is passed to other users (e.g. like in news feeds, etc), so is screening input fields necessary?

andrewjcasal avatar Jun 23 '18 00:06 andrewjcasal

Some comments from other auditors:

image

vishakh avatar Jul 07 '18 04:07 vishakh