From 4280c4ca70b64d337dc640a68359f9b9aee3214e Mon Sep 17 00:00:00 2001 From: Oj Date: Wed, 19 Jan 2022 17:49:46 +0000 Subject: [PATCH] [SecurityUtils] Remove sseoAllowlist option, have rewrite only --- README.md | 1 - src/utils/securityUtils.js | 13 +------------ 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/README.md b/README.md index f170f87..baf1178 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,6 @@ You can configure OpenAsar via `settings.json` (found in your Discord app data / - `autoupdate` (bool, default true) - whether to autoupdate OpenAsar after Discord startup - `updatePrompt` (bool, default false) - whether to show update prompt after updating OpenAsar - `splashText` (bool, default true) - whether to show bottom right version info text in splash -- `ssoeAllowlist` (bool, default true) - whether to use safer custom method of opening external urls (true) or normal Discord's method (false) ### Extra Discord Options - `multiInstance` (bool, default false) - whether to enable multi-instance diff --git a/src/utils/securityUtils.js b/src/utils/securityUtils.js index 8573611..a27dbc6 100644 --- a/src/utils/securityUtils.js +++ b/src/utils/securityUtils.js @@ -1,8 +1,6 @@ const { shell } = require('electron'); -const BLOCKED_URL_PROTOCOLS = ['file:', 'javascript:', 'vbscript:', 'data:', 'about:', 'chrome:', 'ms-cxh:', 'ms-cxh-full:', 'ms-word:']; // From Discord const allowedProtocols = [ 'https:', 'http:' ]; - exports.saferShellOpenExternal = (url) => { let parsed; @@ -10,16 +8,7 @@ exports.saferShellOpenExternal = (url) => { parsed = new URL(url); } catch (_e) { return Promise.reject(); } - const protocol = parsed.protocol?.toLowerCase(); - - let disallowed = false; - if (oaConfig.ssoeAllowlist === false) { // Allow config option to use traditional Discord check for compatibility - if (!protocol || BLOCKED_URL_PROTOCOLS.includes(protocol)) disallowed = true; - } else { - if (!allowedProtocols.includes(protocol)) disallowed = true; - } - - if (disallowed) return Promise.reject(); + if (!allowedProtocols.includes(parsed.protocol?.toLowerCase())) return Promise.reject(); // Only allow some protocols return shell.openExternal(url); };