Saltar al contenido principal

Webview Vulnerability Fix

· 2 lectura mínima

A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. La vulnerabilidad ha sido asignada al identificador CVE CVE-2018-1000136.


Affected Applications

An application is affected if all of the following are true:

  1. Runs on Electron 1.7, 1.8, or a 2.0.0-beta
  2. Allows execution of arbitrary remote code
  3. Disables Node.js integration
  4. Does not explicitly declare webviewTag: false in its webPreferences
  5. Does not enable the nativeWindowOption option
  6. Does not intercept new-window events and manually override event.newGuest without using the supplied options tag

Although this appears to be a minority of Electron applicatons, we encourage all applications to be upgraded as a precaution.

Mitigación

This vulnerability is fixed in today's 1.7.13, 1.8.4, and 2.0.0-beta.5 releases.

Developers who are unable to upgrade their application's Electron version can mitigate the vulnerability with the following code:

app.on('web-contents-created', (event, win) => {
win.on(
'new-window',
(event, newURL, frameName, disposition, options, additionalFeatures) => {
if (!options.webPreferences) options.webPreferences = {};
options.webPreferences.nodeIntegration = false;
options.webPreferences.nodeIntegrationInWorker = false;
options.webPreferences.webviewTag = false;
delete options.webPreferences.preload;
}
);
});

// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
win.on('will-attach-webview', (event, webPreferences, params) => {
event.preventDefault();
});
});

Más información

This vulnerability was found and reported responsibly to the Electron project by Brendan Scarvell of Trustwave SpiderLabs.

Para aprender más sobre las buenas prácticas para mantener tus aplicaciones Electron seguras, ve nuestro tutorial de seguridad.

To report a vulnerability in Electron, please email security@electronjs.org.

Please join our email list to receive updates about releases and security updates.