WavesGUI icon indicating copy to clipboard operation
WavesGUI copied to clipboard
verified publisher icon wavesplatform

[Security Issue]"contextIsolation" is disabled

Open Shashank-In opened this issue 5 years ago • 4 comments

Description Since contextIsolation is not mentioned hence it will be disabled by default. This means the Electron APIs and the preload script run in the same context, hence an XSS vulnerability could allow an attacker to re-define app functionality via prototype tampering.

Proof:

  1. Go to https://github.com/wavesplatform/WavesGUI/blob/dev/electron/main.ts#L386-L389

webPreferences: { preload: join(__dirname, 'preload.js'), nodeIntegration: false }

Since "contextIsolation" is not mentioned. This will be by default set to false.

Suggested Fix: It should have contextIsolation: true

Ref: https://www.electronjs.org/docs/tutorial/context-isolation

Note: I saw the bug bounty program of waves at https://forum.wavesplatform.com/t/bug-bounty-program/1127 However the email [email protected]. is dead.

Shashank-In avatar Nov 08 '20 07:11 Shashank-In

Any updates?

Shashank-In avatar Nov 19 '20 12:11 Shashank-In

Hi @tsigel Any updates?

Shashank-In avatar Nov 25 '20 19:11 Shashank-In

You can try WavesLiteClient here

weidisu avatar Feb 05 '21 14:02 weidisu

Sorry @weidisu Did not understand why is it related to this bug report?

Shashank-In avatar Feb 09 '21 05:02 Shashank-In