From 54b1481a4e48290a25b3e56220cacb3b31c386d3 Mon Sep 17 00:00:00 2001
From: smartfrigde <37928912+smartfrigde@users.noreply.github.com>
Date: Fri, 3 Jun 2022 15:18:36 +0200
Subject: [PATCH] Update WindowOpenHandler to be much more secure

---
 src/window.ts | 38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/window.ts b/src/window.ts
index ddcdb33..47b0f89 100644
--- a/src/window.ts
+++ b/src/window.ts
@@ -4,7 +4,7 @@
 // I'm sorry for this mess but I'm not sure how to fix it.
 import {BrowserWindow, shell, app, ipcMain, dialog, clipboard} from "electron";
 import path from "path";
-import {checkIfConfigIsBroken, firstRun, getConfig, contentPath, isSetup} from "./utils";
+import {checkIfConfigIsBroken, firstRun, getConfig, contentPath, isSetup, setConfig} from "./utils";
 import {registerIpc} from "./ipc";
 import startServer from "./socket";
 import contextMenu from "electron-context-menu";
@@ -21,11 +21,45 @@ contextMenu({
 });
 
 async function doAfterDefiningTheWindow() {
+    var ignoreProtocolWarning = await getConfig("ignoreProtocolWarning");
     checkIfConfigIsBroken();
     registerIpc();
     mainWindow.webContents.userAgent = `Mozilla/5.0 (X11; ${os.type()} ${os.arch()}) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36`; //fake useragent for screenshare to work
     mainWindow.webContents.setWindowOpenHandler(({url}) => {
-        shell.openExternal(url);
+        if (url.startsWith("https:" || url.startsWith("http:") || url.startsWith("mailto:"))) {
+            shell.openExternal(url);
+        } else {
+            if (ignoreProtocolWarning) {
+                shell.openExternal(url);
+            } else {
+                const options = {
+                    type: "question",
+                    buttons: ["Yes, please", "No, I don't"],
+                    defaultId: 1,
+                    title: url,
+                    message: `Do you want to open ${url}?`,
+                    detail: "This url was detected to not use normal browser protocols. It could mean that this url leads to a local program on your computer. Please check if you recognise it, before proceeding!",
+                    checkboxLabel: "Remember my answer and ignore this warning for future sessions",
+                    checkboxChecked: false
+                };
+
+                dialog.showMessageBox(mainWindow, options).then(({response, checkboxChecked}) => {
+                    console.log(response, checkboxChecked);
+                    if (checkboxChecked) {
+                        if (response == 0) {
+                            setConfig("ignoreProtocolWarning", true);
+                        } else {
+                            setConfig("ignoreProtocolWarning", false);
+                        }
+                    }
+                    if (response == 0) {
+                        shell.openExternal(url);
+                    } else {
+                        return;
+                    }
+                });
+            }
+        }
         return {action: "deny"};
     });
     mainWindow.webContents.session.webRequest.onBeforeRequest((details, callback) => {