CODEWITHSUNDEEP
node.jsshellsecurityelectron
Jimmy Breck-McKye
Jimmy Breck-McKye

Reputation: 3034

How can I open this external app from Electron securely?

I'm prototyping an Electron app that can open provided files in a third party photo editor, using Node's childProcess API:

const process = childProcess.spawn(
    'open', 
    ['-a', 'Polarr Photo Editor', filename],
    {shell: false}
);

I'm a little concerned about the security of passing in an unsanitised filename as a parameter. For context, here's how the app might work:

  1. It requests a JSON payload from our server, which lists a set of assets in S3
  2. Those assets are downloaded locally
  3. The user can then choose which one to open in his or her editor
  4. After making edits, they can re-upload to us

My concern is that a MITM attack around stage 1 could mean a user downloads a maliciously named file, a filename that can do evil things when passed as a parameter to spawn, e.g. myCoolFile && doEvilThing ;.jpg.

I have done a little testing, and haven't found any obvious exploits yet, but I'm worried I might be missing something.

Therefore I'd like to know:

  1. Can parameters sent to spawn hijack the command, produce evil side effects - do anything unexpected or undesirable in the hands of a malicious user?
  2. If so, what can I do? Are there better alternatives to opening third party applications from a Node process?
  3. Is there any general good practice for security in Electron apps that I should be reading up on?

Upvotes: 1

Views: 841

Answers (1)

Janith
Janith

Reputation: 2910

I don't see this as a security issue. There is two reasons

First one is the filename is only a parameter that is send to a third party application. So that executable should validate the parameter to check weather it is a file or not. If it doesn't it is out of your scope and you may have to ask them to fix that or alternatively validate it is a filename.

And the second reason is this happens in the client side, So the user will be responsible for passing the filename, even if it's done manually. You have no control over what he might execute on his own system and that is okay. Even though you made it impossible.

You user can always execute open -a Polarr Photo Editor anything_he_want on his terminal if he want to crack it.

Upvotes: 1

Related Questions