Limiting In-app Navigation, Use of openExternal, and Electron.js Version Upgrade

[masood]

Summary:
Thank you for designing the Infiniti Clips Desktop Application making it open-source and available. The application does a great job of following secure practices. We list pointers of concern below that can help make the application more secure.

1. [In-app Navigation] The application currently limits in-app navigation with a listener on the ‘new-window’ event [Ref]. Electron has updated this event and recommends using setWindowOpenHandler. [Link] Similarly, it may be useful to also set an event.preventDefault() on the ‘will-navigate’ event as a precaution.
2. [Use of openExternal] We observed that the application uses shell.openExternal(). It may be helpful to consider sanitizing the URL before making this call. Passing a file-based link, for example, can lead to triggering an executable.
3. [Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js (v21.2.0) and Chromium which are vulnerable to numerous known V8 and Blink attacks. Upgrading to an even newer version will be a great idea as well [Link]

Thank you!

Platform(s) Affected:
Windows, Linux, MacOS

–
Mir Masood Ali, PhD student, University of Illinois Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois Chicago
Chris Kanich, Associate Professor, University of Illinois Chicago
Jason Polakis, Associate Professor, University of Illinois Chicago