Skip to content

security: harden Electron windows, IPC, and DOM rendering#46

Merged
flexiondotorg merged 3 commits intomainfrom
concerns
Mar 25, 2026
Merged

security: harden Electron windows, IPC, and DOM rendering#46
flexiondotorg merged 3 commits intomainfrom
concerns

Conversation

@flexiondotorg
Copy link
Copy Markdown
Member

@flexiondotorg flexiondotorg commented Mar 25, 2026

Summary

Three audit concerns addressed through security hardening and code quality improvements: sandboxing Electron windows, restricting IPC bridge commands, protecting against DOM injection, graceful lifecycle cleanup, and adding trust boundary annotations. No behaviour change for end users; all 203 tests pass.

Changes

  • Phase 1: Add webPreferences sandbox settings to splash window and about window (src/main.ts, src/tray.ts); add command allowlist to musicKitHook IPC bridge (assets/musicKitHook.js)
  • Phase 2: Add will-quit handler to discord-presence integration for clean shutdown (src/integrations/discord-presence/index.ts)
  • Phase 3: Add trust boundary annotation to about.html; replace innerHTML with DOM construction in navigationBar.js; add artifact name metadata to package.json

Testing

All 203 tests pass. Changes are localised refinements to seven audit concerns identified in code review - no functionality changes.

Related Issues

No GitHub issues referenced.

@flexiondotorg
security: harden Electron window webPreferences and IPC bridge
74b41d2 
- Add webPreferences sandbox, preload, and context isolation settings to
  createSplash() main window
- Add webPreferences sandbox, preload, and context isolation settings to
  showAboutWindow() tray window
- Add command allowlist to musicKitHook.js with cross-referenced
  validation in preload.ts

Signed-off-by: Martin Wimpress <code@wimpress.io>
@flexiondotorg
refactor(discord): add cleanup handler for graceful shutdown
06c66fd 
- Convert anonymous player event callbacks to named const declarations
- Add app.on('will-quit') handler following MPRIS pattern
- Clear all timers (debounce, pause, reconnect)
- Destroy Discord client with try/catch error handling
- Remove all player event listeners with stable references
- Reset mutable state to ensure clean shutdown

Signed-off-by: Martin Wimpress <code@wimpress.io>
@flexiondotorg
security: remove attack surface via trust boundaries and DOM safety
36bb88a 
- Document trust boundary for icon parameter in about.html (set by main
  process, not user-controllable)
- Replace innerHTML with DOM construction in navigationBar.js using
  createElementNS and appendChild; extract three SVG builder functions
- Add artifactName omission comment to package.json (prevents desktop
  shortcut version breakage)

Signed-off-by: Martin Wimpress <code@wimpress.io>
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 8 files

Requires human review: This PR includes security-related hardening (IPC allowlisting) and code refactoring (DOM construction and listener management) which fall under high-impact categories requiring human review.

@flexiondotorg flexiondotorg merged commit cdca0ae into main Mar 25, 2026
10 of 12 checks passed
@flexiondotorg flexiondotorg deleted the concerns branch March 25, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@flexiondotorg