-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Electron security considerations #2018
Comments
To be frank, I am not sure. Maybe someone else can answer this.
+1. Security is very important. @marechal-p this might impact your work, to run Theia in an Electron FE, using a remote BE. |
Getting my head around the backend/frontend architecture of theia... The renderer process security should be implicit based on the mapping between the frontend/backend extensions and the platform separation. e.g. I wouldn't expect access to the Have such relationships been discussed/designed previously? |
From the link you mentioned (http://www.theia-ide.org/doc/architecture):
I think so far the idea was to not rely on any Node API in the frontend, because of the fact that it will run on both environments. In any case, Electron's Node API is just sugar that we don't really need because of the connection between the backend/frontend, that should only provide the necessary protocols and thus accesses to the Node API on the backend from the frontend. (even when running the electron application, there is still a backend that is started, so we should use it for Node operations) |
After more work on #2340, it turns out that using I don't know exactly why, but monaco was assuming some annoying things about the environment, making it crash when on Electron on http content. I wonder how many packages also try to guess the current env and fail while doing so... |
We've received a report that proves a potential vulnerability using the electron version of Theia due to the This is due to the node runtime being exposed in pages opened within the IDE context which could read local files, etc. We need to switch off It looks like electron changed this default to https://electronjs.org/releases/stable?page=5#release-notes-for-v500 |
Are you able to get a stable application by turning this flag off? Last time I tried I had to fight... |
I haven't tried, but it needs to be done :) |
Putting here a hack from when I was trying to load http(s) content into Electron: theia/packages/monaco/src/electron-browser/monaco-electron-module.ts Lines 50 to 55 in a9506fc
Without this, vscode's Unless they changed something, this should be relevant. |
@marechal-p is it the same with latest Monaco? VS Code was refactored to not use Node.js apis in the renderer process, maybe it fixed the issue? |
Hopefully... Thanks for the info. But the issue came from the AMDLoader that they use, so unless this component changed as well, then I don't know. But if the problem arise again, I figured it would help having the hack here. |
I've opened a draft PR with this security switched on in case anyone fancies investigating the issues: Regarding electron versions, the default to turn off node integration was introduced in Electron 5. We will need to explicitly turn it on when moving to that version or fix the issues apparent in the PR above. |
It doesn't seem like an issue for VS Code: https://github.com/microsoft/vscode/blob/a143fc36f8ee58db069c0bd2a14ec4ddeb29a009/src/vs/code/electron-main/sharedProcess.ts#L40 What kind of attack would we avoid by turning it off? |
The Electron example app shows the following in the developer tools console:
|
We have to remove
|
Using context isolation would also enable secondary window support for electron, which is currently blocked by electron/electron#36858 |
There are a couple of things we would need to do in order to make this happen:
If Monaco is capable of running in a context-isolated browser window, I would estimate the work to do at around 8 days. @paul-marechal since you seem to have looked into this in the past, would you concur?` Also: VS Code seems to support sandboxing, see microsoft/vscode#156440 |
While the initial setup of the preload script needs to be in one chunk, a lot of the work could be done incrementally. |
A quick hack to introduce context isolation in Theia (basically removing most uses of |
…eia#2018 All access to electron API is now done through an API exposed via a preload script. Access to the electron API (including electron-remote) and nodejs API is no longer possible. Theia extensions can contribute to the preload script via a `theiaExtensions` module declaration in their package.json Contributed on behalf or STMicroelectronics Signed-off-by: Thomas Mäder <[email protected]>
…eia#2018 All access to electron API is now done through an API exposed via a preload script. Access to the electron API (including electron-remote) and nodejs API is no longer possible. Theia extensions can contribute to the preload script via a `theiaExtensions` module declaration in their package.json Contributed on behalf or STMicroelectronics Signed-off-by: Thomas Mäder <[email protected]>
…eia#2018 All access to electron API is now done through an API exposed via a preload script. Access to the electron API (including electron-remote) and nodejs API is no longer possible. Theia extensions can contribute to the preload script via a `theiaExtensions` module declaration in their package.json Contributed on behalf or STMicroelectronics Signed-off-by: Thomas Mäder <[email protected]>
…eia#2018 All access to electron API is now done through an API exposed via a preload script. Access to the electron API (including electron-remote) and nodejs API is no longer possible. Theia extensions can contribute to the preload script via a `theiaExtensions` module declaration in their package.json Contributed on behalf or STMicroelectronics Signed-off-by: Thomas Mäder <[email protected]>
The security recommendations from electron outline best practice for securing the main process from malicious attacks in the renderer process. As electron is a little way behind chromium releases, known security holes may be publicised long before theia users receive updates to their apps. This is especially relevant if theia ever loads remote content.
Have these guidelines been considered in the design of theia and is there interest in applying them?
For example, I would recommend adding
webPreferences
to theBrowserWindow
options for these items:nodeIntegration: false
to prevent malicious code from running node functionality from the rendererpreload
to control the exact functionality and APIs available to the renderer process from the main process. This could simply be restricted to the IPC interfacesThis may have an impact on how
electron-browser
modules access the main electron process, however and require some re-architecture. I'm happy to propose a PR if this is agreed as being needed.The text was updated successfully, but these errors were encountered: