security: remove openPath, restrict openExternal

Now only allows opening http urls.
This commit is contained in:
Vendicated 2022-10-03 19:17:54 +02:00
parent 71a59f4020
commit 8fe60971f5
No known key found for this signature in database
GPG Key ID: EC781ADFB93EFFA3
3 changed files with 15 additions and 4 deletions

@ -88,7 +88,7 @@ export default ErrorBoundary.wrap(function Settings() {
Launch Directory
</Button>
<Button
onClick={() => VencordNative.ipc.invoke(IpcEvents.OPEN_PATH, settingsDir, "quickCss.css")}
onClick={() => VencordNative.ipc.invoke(IpcEvents.OPEN_QUICKCSS)}
size={Button.Sizes.SMALL}
disabled={settingsDir === "Loading..."}
>

@ -29,8 +29,19 @@ function readSettings() {
// Fix for screensharing in Electron >= 17
ipcMain.handle(IpcEvents.GET_DESKTOP_CAPTURE_SOURCES, (_, opts) => desktopCapturer.getSources(opts));
ipcMain.handle(IpcEvents.OPEN_PATH, (_, ...pathElements) => shell.openPath(join(...pathElements)));
ipcMain.handle(IpcEvents.OPEN_EXTERNAL, (_, url) => shell.openExternal(url));
ipcMain.handle(IpcEvents.OPEN_QUICKCSS, () => shell.openPath(QUICKCSS_PATH));
ipcMain.handle(IpcEvents.OPEN_EXTERNAL, (_, url) => {
try {
var { protocol } = new URL(url);
} catch {
throw "Malformed URL";
}
if (protocol !== "https:" && protocol !== "http:")
throw "Disallowed protocol.";
shell.openExternal(url);
});
ipcMain.handle(IpcEvents.GET_QUICK_CSS, () => readCss());

@ -18,7 +18,7 @@ export default strEnum({
GET_SETTINGS: "VencordGetSettings",
SET_SETTINGS: "VencordSetSettings",
OPEN_EXTERNAL: "VencordOpenExternal",
OPEN_PATH: "VencordOpenPath",
OPEN_QUICKCSS: "VencordOpenQuickCss",
GET_UPDATES: "VencordGetUpdates",
GET_REPO: "VencordGetRepo",
GET_HASHES: "VencordGetHashes",