You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We found that preload.js introduces dangerous API openShellExternal for arbitrary access on unsafe renderer process.
This may lead to remote command execution.
We suggest that a URL check should be enforced at L15, which enforces an allowlist on trusted urls.
Makes sense. A validUrl function which check against a list of urls can be a solution. If you are interested to add this, PRs are welcomed for it. I'll look into it. Thank you 😄
Hi,
We found that
preload.js
introduces dangerous API openShellExternal for arbitrary access on unsafe renderer process.This may lead to remote command execution.
We suggest that a URL check should be enforced at L15, which enforces an allowlist on trusted urls.
clipper/preload.js
Lines 14 to 16 in d133fde
The text was updated successfully, but these errors were encountered: