e98ce44ee1
SECURITY: The Electron IPC handler exposed raw child_process.exec() to
renderer code, allowing arbitrary command execution via shell metacharacters.
Changes:
- electron-main.js: Replace exec() with execFile() + argument arrays
Add operation whitelist (ALLOWED_MEMPALACE_OPS)
Add sanitizeArg() to reject shell metacharacters (;, &, |, `, $, etc.)
Both exec-python (legacy) and new mempalace-exec IPC handlers are safe
- mempalace.js: Replace template-interpolated shell strings with safe
_exec(op, ...args) method using the new mempalace-exec IPC
- app.js: Remove direct execPython call with template interpolation,
use mempalace.addDrawer() instead
- preload.js: New context bridge exposing mempalaceExec and restricted
execPython to renderer
- tests/test_electron_security.py: 7 security assertions
The old pattern:
exec(`mempalace search "${userInput}"`)
// user submits: "; rm -rf /"
// executes: mempalace search ""; rm -rf /""
The new pattern:
execFile('mempalace', ['search', userInput])
// user submits: "; rm -rf /"
// executes: mempalace 'search' '"; rm -rf /"'
// metacharacters are rejected by sanitizeArg()
12 lines
497 B
JavaScript
12 lines
497 B
JavaScript
// preload.js — Electron context bridge
|
|
// Safely exposes IPC methods to the renderer process
|
|
const { contextBridge, ipcRenderer } = require('electron')
|
|
|
|
contextBridge.exposeInMainWorld('electronAPI', {
|
|
// Safe MemPalace execution — uses argument arrays, no shell strings
|
|
mempalaceExec: (opts) => ipcRenderer.invoke('mempalace-exec', opts),
|
|
|
|
// Legacy bridge — restricted to whitelisted mempalace commands only
|
|
execPython: (command) => ipcRenderer.invoke('exec-python', command),
|
|
})
|