WebPreferences 漏洞修复
已发现一个远程代码执行漏洞,影响能够在 Electron 版本(3.0.0-beta.6、2.0.7、1.8.7 和 1.7.15)上打开嵌套子窗口的应用。该漏洞已被分配 CVE 标识符 CVE-2018-15685。
🌐 A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windows on Electron versions (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15). This vulnerability has been assigned the CVE identifier CVE-2018-15685.
受影响的平台
🌐 Affected Platforms
如果出现以下情况,你将会受到影响:
🌐 You are impacted if:
- 你嵌入了 任何 远程用户内容,即使是在沙盒中
- 你接受任何存在 XSS 漏洞的用户输入
详情
🌐 Details
如果任何用户代码在 iframe 中运行或可以创建 iframe,你将受到影响。鉴于存在 XSS 漏洞的可能性,可以认为大多数应用都存在这种情况的风险。
🌐 You are impacted if any user code runs inside an iframe / can create an iframe. Given the possibility of an XSS vulnerability it can be assumed that most apps are vulnerable to this case.
如果你使用 nativeWindowOpen: true 或 sandbox: true 选项打开任意窗口,你也会受到影响。尽管此漏洞还需要你的应用中存在 XSS 漏洞,但如果你使用其中任一选项,仍应应用以下一种缓解措施。
🌐 You are also impacted if you open any of your windows with the nativeWindowOpen: true or sandbox: true option. Although this vulnerability also requires an XSS vulnerability to exist in your app, you should still apply one of the mitigations below if you use either of these options.
缓解措施
🌐 Mitigation
我们已发布了包含此漏洞修复的新版本 Electron:3.0.0-beta.7、2.0.8、1.8.8 和 1.7.16。我们强烈建议所有 Electron 开发者立即将他们的应用更新到最新的稳定版本。
🌐 We've published new versions of Electron which include fixes for this vulnerability: 3.0.0-beta.7, 2.0.8, 1.8.8, and 1.7.16. We urge all Electron developers to update their apps to the latest stable version immediately.
如果由于某种原因你无法升级 Electron 版本,你可以通过在所有 webContents 上的 new-window 事件上统一调用 event.preventDefault() 来保护你的应用。如果你根本不使用 window.open 或任何子窗口,那么这对你的应用来说也是一种有效的缓解措施。
🌐 If for some reason you are unable to upgrade your Electron version, you can protect your app by blanket-calling event.preventDefault() on the new-window event for all webContents'. If you don't use window.open or any child windows at all then this is also a valid mitigation for your app.
mainWindow.webContents.on('new-window', (e) => e.preventDefault());
如果你依赖于子窗口创建孙窗口的功能,那么第三种缓解策略是在顶层窗口中使用以下代码:
🌐 If you rely on the ability of your child windows to make grandchild windows, then a third mitigation strategy is to use the following code on your top level window:
const enforceInheritance = (topWebContents) => {
const handle = (webContents) => {
webContents.on(
'new-window',
(event, url, frameName, disposition, options) => {
if (!options.webPreferences) {
options.webPreferences = {};
}
Object.assign(
options.webPreferences,
topWebContents.getLastWebPreferences(),
);
if (options.webContents) {
handle(options.webContents);
}
},
);
};
handle(topWebContents);
};
enforceInheritance(mainWindow.webContents);
这段代码将手动强制将顶层窗口 webPreferences 应用到所有子窗口,深度无限。
🌐 This code will manually enforce that the top level windows webPreferences is manually applied to all child windows infinitely deep.
更多信息
🌐 Further Information
这个漏洞由 Contrast Security 的 Matt Austin 发现并负责任地报告给 Electron 项目。
🌐 This vulnerability was found and reported responsibly to the Electron project by Matt Austin of Contrast Security.
要了解有关保持你的 Electron 应用安全的最佳做法的更多信息,请参阅我们的[安全教程]。
🌐 To learn more about best practices for keeping your Electron apps secure, see our security tutorial.
如果你希望报告 Electron 中的漏洞,请提交 [GitHub 安全咨询]。
🌐 Please file a GitHub Security Advisory if you wish to report a vulnerability in Electron.