Skip to content
This repository was archived by the owner on May 24, 2022. It is now read-only.
This repository was archived by the owner on May 24, 2022. It is now read-only.

Use whitelist instead of open ended regex #547

Closed
#556
Closed
Use whitelist instead of open ended regex#547
#556
Milestone
0.3.2 Security update
@Tbaut

Description

@Tbaut
Tbaut
opened on Aug 30, 2019

Implement a strict whitelist of resources. Whitelist GitHub repositories and
domains strictly instead of using an open ended regular expression.

Fether uses blacklist patterns when determining whether a window should be allowed to
open. The use of a blacklist could be abusable by an
attacker in certain circumstances, allowing malicious endpoints adhering to the blacklist
patterns to be opened, as see

https://github.com/paritytech/fether/blob/master/packages/fether-electron/src/main/app/utils/isTrustedUrlPattern.js#L43-L60

https://github.com/paritytech/fether/blob/master/packages/fether-electron/src/main/index.js#L165

https://github.com/paritytech/fether/blob/master/packages/fether-electron/src/main/app/utils/isTrustedUrlPattern.js#L56-L67

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions