Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: security: add an option to disable the remote module #13028

Merged
merged 1 commit into from Oct 13, 2018
Merged

feat: security: add an option to disable the remote module #13028

merged 1 commit into from Oct 13, 2018

Conversation

miniak
Copy link
Contributor

@miniak miniak commented May 21, 2018
edited

Description of Change

The webPreferences.sandbox option is not sufficient to prevent fully exploitation if the remote module still allows access to fs and other modules via the main process. This proposal adds a new option webPreferences.enableRemoteModule, which blocks access to the remote module on the main process side.

  • On the renderer process side, it removes access to electron.remote, which allows code to check whether the app can use remote beforehand
  • On the main process side, the rpc-server.js ignores all IPC messages implementing the remote module
Checklist
  • PR description included and stakeholders cc'd
  • npm test passes
  • tests are changed or added
  • relevant documentation is changed or added
  • PR title follows semantic commit guidelines
Release Notes

Notes: Added webPreferences.enableRemoteModule option allowing to disable the remote module to increase sandbox security.

@miniak miniak requested review from a team May 21, 2018 21:11
@miniak
Copy link
Contributor Author

miniak commented May 21, 2018

Other potentially dangerous IPC messages are ELECTRON_BROWSER_SEND_TO and ELECTRON_BROWSER_DESKTOP_CAPTURER_GET_SOURCES

@tarruda
Copy link
Contributor

tarruda commented May 21, 2018
edited

This is a good initiative, but if the end goal is to make it possible to securely run untrusted code in a sandboxed renderer, we need something more radical than simply disabling the remote module.

What I have considered for some time was the implementation of a secure webPreference which enhances sandbox and essentially blocks all IPC from the renderer with the exception of messages that are absolutely essential (such as ELECTRON_BROWSER_SANDBOX_LOAD, which can only be called once per webContents) or messages matching an user-specified filter (which could be a regexp). This makes it possible for Electron apps to have a set of opt-in IPC handlers which can be used by the sandboxed renderer to interact with the browser process in a secure way. Note that this essentially removes most electron APIs from the renderer, which is the ideal scenario for running untrusted code.

In addition, the preload script of secure renderers will run in a separate context (as in contextIsolation) and communicate with the main page using asynchronous messages, which is how chrome plugins communicate with code loaded from the web.

Keep in mind that this is just an idea which I had some time to think about, and introducing new APIs that say Electron apps can run untrusted code requires a lot more careful planning, as we may be pushing a false idea of security which can have bad consequences for users. What I mean is that a lot of people will see this option and immediately assume it is safe to load any web page into Electron (without trying to understand how it works), which is simply not true.

@miniak
Copy link
Contributor Author

miniak commented May 21, 2018
edited

@tarruda are you coming to the Electron summit in Prague? It should be one of the topics to be discussed IMHO.

@tarruda
Copy link
Contributor

tarruda commented May 23, 2018

@tarruda are you coming to the Electron summit in Prague? It should be one of the topics to be discussed IMHO.

Just booked my flight/airbnb

@yourfreelance-editor yourfreelance-editor mentioned this pull request May 23, 2018
Open
@codebytere codebytere changed the title Add webPreferences.disableRemote option to disable the remote module (sandbox security) security: add webPreferences.disableRemote option to disable the remote module (sandbox) May 26, 2018
@electron electron deleted a comment from kewde Jul 27, 2018
@miniak miniak force-pushed the miniak/disable-remote branch 2 times, most recently from 2753cbd to 502e5ed Compare July 27, 2018 19:18
@miniak miniak changed the title security: add webPreferences.disableRemote option to disable the remote module (sandbox) [wip] security: add webPreferences.disableRemote option to disable the remote module (sandbox) Jul 29, 2018
@MarshallOfSound
Copy link
Member

@miniak What is the status of this?

@miniak
Copy link
Contributor Author

miniak commented Aug 10, 2018

@MarshallOfSound it still needs some love. Seems like remote is also used internally for some logic or something. I need to check how to handle that.

@MarshallOfSound
Copy link
Member

@miniak This one has conflicts as well

@miniak miniak force-pushed the miniak/disable-remote branch 5 times, most recently from e348511 to 18fa3e1 Compare August 25, 2018 21:17
@miniak
Copy link
Contributor Author

miniak commented Aug 25, 2018

@MarshallOfSound conflicts resolved + fixed internal usages of remote (either fails gracefully or re-implemented not to use remote)

@miniak miniak force-pushed the miniak/disable-remote branch 2 times, most recently from fa31074 to 38d6579 Compare August 25, 2018 21:56
@miniak miniak force-pushed the miniak/disable-remote branch 5 times, most recently from 5987fdf to 4ddb99b Compare October 11, 2018 08:08
@miniak miniak mentioned this pull request Oct 12, 2018
Closed
@miniak
Copy link
Contributor Author

miniak commented Oct 13, 2018

@MarshallOfSound can you please unblock? all comments should be resolved now.

@miniak miniak mentioned this pull request Oct 13, 2018
Merged
5 tasks
@miniak
Copy link
Contributor Author

miniak commented Oct 13, 2018

@MarshallOfSound can you please also merge? I cannot do that myself :(

@alexeykuzmin alexeykuzmin merged commit d3efc52 into master Oct 13, 2018
@release-clerk
Copy link

release-clerk bot commented Oct 13, 2018

Release Notes Persisted

Added webPreferences.enableRemoteModule option allowing to disable the remote module to increase sandbox security.

@alexeykuzmin alexeykuzmin deleted the miniak/disable-remote branch October 13, 2018 17:50
@alexeykuzmin
Copy link
Contributor

I'm going to create a backport PR to the 4-0-x branch so it's ready to be merged.
But it should NOT be merged without an explicit approval since the change a new feature.
cc @ckerr

@alexeykuzmin
Copy link
Contributor

/trop run backport

@trop
Copy link
Contributor

trop bot commented Oct 17, 2018

The backport process for this PR has been manually initiated, here we go! :D

@trop trop bot mentioned this pull request Oct 17, 2018
Merged
@trop
Copy link
Contributor

trop bot commented Oct 17, 2018

We have automatically backported this PR to "4-0-x", please check out #15222

@trop trop bot added merged/4-0-x and removed target/4-0-x labels Oct 17, 2018
@miniak miniak mentioned this pull request Dec 5, 2018
Merged
3 tasks
@miniak miniak mentioned this pull request Mar 25, 2019
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexeykuzmin alexeykuzmin alexeykuzmin approved these changes

@tarruda tarruda tarruda approved these changes

@MarshallOfSound MarshallOfSound MarshallOfSound approved these changes

@juturu juturu Awaiting requested review from juturu

Assignees

@miniak miniak

Labels
security 🔒 semver/minor backwards-compatible functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@miniak @tarruda @MarshallOfSound @alexeykuzmin