teams-for-linux icon indicating copy to clipboard operation
teams-for-linux copied to clipboard
verified publisher icon IsmaelMartinez

Disabled context isolation is a security hole/please enable

Open Thaodan opened this issue 2 years ago • 6 comments

Describe the bug For #434 and further #492 context isolation was disabled. This is a security issue as it exposes all electron api to websites running inside Electron.

If I understand correctly one has to implement contextBridges to be able to use ipcRender which is required for WebRTC. I've linked a few documentation pages around this below.

Desktop :

  • OS: any
  • Installation package: any
  • Version: >1.0.0.17

Additional context

Thaodan avatar Oct 19 '23 21:10 Thaodan

I am sorry but currently I don't have time to look at this in more detail. It does look quite complex to re-place unfortunately.

IsmaelMartinez avatar Mar 21 '24 10:03 IsmaelMartinez

I had a look and it does look a few changes are needed but it should be hopefully double. It might take me a few tries and might break some functionality but I will try 😄 . Thanks for reporting

IsmaelMartinez avatar Jul 03 '24 20:07 IsmaelMartinez

Ok, this is going to be a much bigger task. It will require to re-work all the parts in the UI. Ideally we can get rid of that one, nodeIntegration and the sandbox, but is a mamouth task.

Electron has deprecated the BrowserWindow so I will try to start the work to move to the BaseWindow and WebContentView, but it might take some time.

In the meantime, I will make this values as config options so people can disable them. They will break functionality for sure, but at least you can still use the app. Not sure when I will have the time to make those changes (the enable them as flags) but hopefully soon!

Thanks for reporting again.

IsmaelMartinez avatar Jul 06 '24 08:07 IsmaelMartinez

by the way, we do disable eval so that should, in theory, block most of the bad actors. But agree better to make sure we only expose what we have to.

IsmaelMartinez avatar Jul 06 '24 10:07 IsmaelMartinez

1.8.0 have the ability to disable the contextIsolation and sandboxing in the main BrowserWindow. Currently not doing this until is thoroughly tested by multiple users.

@Thaodan , are you able to test this and see what functionality you see missing? Difficult for me to test from a MacOS it looks like most things are working (all that I tried, but I haven't tried things like custom backgrounds)

Thanks!

IsmaelMartinez avatar Jul 08 '24 06:07 IsmaelMartinez

another option included is running the app with firejail https://github.com/IsmaelMartinez/teams-for-linux/blob/develop/README.md#running-teams-for-linux-in-a-firejail

contextIsolation and sandbox seem to be breaking screensharing. To fix that we would need to re-architect the app (something that would happen over time, but would require a lot of work).

IsmaelMartinez avatar Jul 19 '24 10:07 IsmaelMartinez