[SecurityUtils] Self rewrite, also with safer patch plus using non-deprecated API
This commit is contained in:
parent
f7cba58ce1
commit
41fe1b45ec
3 changed files with 28 additions and 36 deletions
|
@ -20,11 +20,12 @@
|
||||||
**If using Linux it is highly recommended to disable write protection** (needing root to overwrite files) for your Discord install if you have it enabled. It is not much of a security defecit as Windows has no write protection as well. This enables updating the asar and potentially host updating further on.
|
**If using Linux it is highly recommended to disable write protection** (needing root to overwrite files) for your Discord install if you have it enabled. It is not much of a security defecit as Windows has no write protection as well. This enables updating the asar and potentially host updating further on.
|
||||||
|
|
||||||
## Config
|
## Config
|
||||||
You can configure OpenAsar via `settings.json` (found in your Discord app data / user data), under a `openasar` object. Keep in mind most options are defaults for good reason, they may temporarily brick your client until you revert your changes. The avaliable options are:
|
You can configure OpenAsar via `settings.json` (found in your Discord app data / user data), under a `openasar` object. Keep in mind most options are defaults for good reason. The avaliable options are:
|
||||||
- `quickstart` (bool, default false) - whether to use Quickstart (experimental)
|
- `quickstart` (bool, default false) - whether to use Quickstart (experimental)
|
||||||
- `skipStartupUpdateChecks` (bool, default false) - skips startup update checking (Linux-only)
|
- `skipStartupUpdateChecks` (bool, default false) - skips startup update checking (Linux-only)
|
||||||
- `autoupdate` (bool, default true) - whether to autoupdate OpenAsar after Discord startup
|
- `autoupdate` (bool, default true) - whether to autoupdate OpenAsar after Discord startup
|
||||||
- `multiInstance` (bool, default false) - whether to enable multi-instance
|
- `multiInstance` (bool, default false) - whether to enable multi-instance
|
||||||
|
- `ssoeAllowlist` (bool, default true) - whether to use safer custom method of opening external urls (true) or normal Discord's method (false)
|
||||||
|
|
||||||
An example of a settings.json with OpenAsar config:
|
An example of a settings.json with OpenAsar config:
|
||||||
```json
|
```json
|
||||||
|
|
|
@ -12,5 +12,5 @@
|
||||||
- [X] `windowsUtils`
|
- [X] `windowsUtils`
|
||||||
- [X] `Settings`
|
- [X] `Settings`
|
||||||
- [X] `Backoff`
|
- [X] `Backoff`
|
||||||
- [ ] `securityUtils`
|
- [X] `securityUtils`
|
||||||
- [ ] Compatibility / replication of original Discord splash
|
- [ ] Compatibility / replication of original Discord splash
|
|
@ -1,45 +1,36 @@
|
||||||
"use strict";
|
const { shell } = require('electron');
|
||||||
|
|
||||||
Object.defineProperty(exports, "__esModule", {
|
const BLOCKED_URL_PROTOCOLS = ['file:', 'javascript:', 'vbscript:', 'data:', 'about:', 'chrome:', 'ms-cxh:', 'ms-cxh-full:', 'ms-word:']; // From Discord
|
||||||
value: true
|
const allowedProtocols = [ 'https:', 'http:' ];
|
||||||
});
|
|
||||||
exports.saferShellOpenExternal = saferShellOpenExternal;
|
|
||||||
exports.checkUrlOriginMatches = checkUrlOriginMatches;
|
|
||||||
|
|
||||||
var _electron = require("electron");
|
exports.saferShellOpenExternal = (url) => {
|
||||||
|
let parsed;
|
||||||
var _url = _interopRequireDefault(require("url"));
|
|
||||||
|
|
||||||
function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
|
|
||||||
|
|
||||||
const BLOCKED_URL_PROTOCOLS = ['file:', 'javascript:', 'vbscript:', 'data:', 'about:', 'chrome:', 'ms-cxh:', 'ms-cxh-full:', 'ms-word:'];
|
|
||||||
|
|
||||||
function saferShellOpenExternal(externalUrl) {
|
|
||||||
let parsedUrl;
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
parsedUrl = _url.default.parse(externalUrl);
|
parsed = new URL(url);
|
||||||
} catch (_) {
|
} catch (_e) { return Promise.reject(); }
|
||||||
return Promise.reject();
|
|
||||||
|
const protocol = parsed.protocol?.toLowerCase();
|
||||||
|
|
||||||
|
let disallowed = false;
|
||||||
|
if (oaConfig.ssoeAllowlist === false) { // Allow config option to use traditional Discord check for compatibility
|
||||||
|
if (!protocol || BLOCKED_URL_PROTOCOLS.includes(protocol)) disallowed = true;
|
||||||
|
} else {
|
||||||
|
if (!allowedProtocols.includes(protocol)) disallowed = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (parsedUrl.protocol == null || BLOCKED_URL_PROTOCOLS.includes(parsedUrl.protocol.toLowerCase())) {
|
if (disallowed) return Promise.reject();
|
||||||
return Promise.reject();
|
|
||||||
}
|
|
||||||
|
|
||||||
return _electron.shell.openExternal(externalUrl);
|
return shell.openExternal(url);
|
||||||
}
|
};
|
||||||
|
|
||||||
function checkUrlOriginMatches(urlA, urlB) {
|
exports.checkUrlOriginMatches = (url1, url2) => {
|
||||||
let parsedUrlA;
|
let parse1, parse2;
|
||||||
let parsedUrlB;
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
parsedUrlA = _url.default.parse(urlA);
|
parse1 = new URL(url1);
|
||||||
parsedUrlB = _url.default.parse(urlB);
|
parse2 = new URL(url2);
|
||||||
} catch (_) {
|
} catch (_e) { return Promise.reject(); }
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return parsedUrlA.protocol === parsedUrlB.protocol && parsedUrlA.slashes === parsedUrlB.slashes && parsedUrlA.host === parsedUrlB.host;
|
return parse1.protocol === parse2.protocol && parse1.host === parse2.host;
|
||||||
}
|
};
|
Loading…
Reference in a new issue