puppeteer-sharp icon indicating copy to clipboard operation
puppeteer-sharp copied to clipboard

Published 20 hours ago verified publisher icon hardkoded

Security concerns to automate chrome browser using puppeteer's wsEndpoint to reconnect to opened window[Bug]: #7551

Open Sridhar-Ranganaboina opened this issue 3 years ago • 8 comments

We have concerns from security team to automate chrome browser using puppeteer and it's web socket endpoint.Their concern is "When webSocket is enabled at the given port. This WebSocket provides access to the remote debugging protocol, which offers control over the whole browser. This results in scripting access to arbitrary websites, the ability to read local files, write to local files, and launch external programs". Can anyone please help me how to fix this issue.

//disconnecting from and reconnecting to a Browser
(async () => {
  const browser = await puppeteer.launch("chrome path");
  // Store the endpoint to be able to reconnect to Chrome
  const browserWSEndpoint = browser.wsEndpoint();
  // Disconnect puppeteer from Chrome
  browser.disconnect();

  // Saving WSEndpoint somewhere in user tem folder and Using the endpoint to reestablish a connection. This is to connect to pages which already opened by user manually
  const browser2 = await puppeteer.connect({browserWSEndpoint});
  // Close Chromium
  await browser2.close();
})();

Sridhar-Ranganaboina avatar Sep 08 '21 10:09 Sridhar-Ranganaboina

That's a valid concern, @siddusri01. Puppeteer also supports a pipe connection (inter-process communication). But we don't have (yet) a way to implement that in .NET. I think that the only way to solve it at the moment is by implementing some kind of security at the OS level.

kblok avatar Sep 08 '21 12:09 kblok

Thanks @kblok , We are currently trying to mitigate it with validating the HTTP header of wsEndpoint either localhost or 127.0.0.1, is this the correct approach as per your idea?

Sridhar-Ranganaboina avatar Sep 09 '21 06:09 Sridhar-Ranganaboina

@kblok, I saw, you have mentioned, Pipe feature will be implemented in v1.1.0, Is it in progress? or Is it not possible with .Net?

"#223, Hey @JipingWang. Pipe connection will be implemented when we get to v1.1.0"

Sridhar-Ranganaboina avatar Sep 09 '21 08:09 Sridhar-Ranganaboina

Yeah, that was a long time ago. I wasn't able to implement that feature.

kblok avatar Sep 09 '21 12:09 kblok

Thanks @kblok, Is there any work around to solve this issue, you have mentioned, need to implement some kind of security at the OS level. Actually we are almost end of the project and then got stuck with this issue,now we are in painful situation, And this is major road block for us and I think it is the major bug in puppeteer-sharp as well as per security concerns. Please let me know in any way around i can contribute to this feature

Sridhar-Ranganaboina avatar Sep 09 '21 14:09 Sridhar-Ranganaboina

The only thing that someone with access to that WebSocket will be able to do is to automate the browser. I don't see how it can access a local file.

kblok avatar Sep 09 '21 14:09 kblok

I got this link, they explained how it can be hacked https://bugs.chromium.org/p/chromium/issues/detail?id=813540

Sridhar-Ranganaboina avatar Sep 09 '21 15:09 Sridhar-Ranganaboina

I took a look at the link. According to that bug report, it was an issue with Chromium 63 and has since been fixed back in 2018. Is there any documentation regarding this security concern for the latest Chromium versions (90, 91, 92, etc.)?

kgar avatar Oct 02 '21 04:10 kgar

Closed due to inactivity. Feel free to reopen it if needed.

kblok avatar Dec 17 '23 20:12 kblok