-
Notifications
You must be signed in to change notification settings - Fork 68
PRELOAD_JS_CHECK
Despite disabling nodeIntegration or enabling sandbox, preload scripts have access to Node.js APIs. When Node integration is turned off, the preload script can reintroduce Node global symbols back to the global scope. The current implementation of the Chromium sandbox also still allows access to all underlying Electron/Node.js primitives using either the remote module or internal IPC:
#1 - Sandbox bypass in preload scripts using remote
app = require('electron').remote.app#2 - Sandbox bypass in preload scripts using internal Electron IPC messages
const { ipcRenderer } = require('electron')
app = ipcRenderer.sendSync('ELECTRON_BROWSER_GET_BUILTIN', 'app')As demonstrated in the examples above, a malicious preload script can still obtain a
reference to the application object by leveraging the remote module, which provides a
simple way to do inter-process communication (IPC) between the renderer process and
the main process. Finally, it is also possible to emulate the internal IPC
mechanism sending a message to the main process synchronously via ELECTRON_
internal channels.
Considering the privileged access available in preload, the code of preload scripts must be carefully reviewed.
Improper use of preload scripts can introduce nodeIntegration or sandbox
bypasses, in addition to other vulnerabilities.
If contextIsolation is not used, there is also the risk that malicious code may be able to tamper with sensitive operations with prototype pollution attacks.
Search for the preload directive within the webPreferences of BrowserWindow. Manually
review all imported scripts.