-
Notifications
You must be signed in to change notification settings - Fork 65
OPEN_EXTERNAL_JS_CHECK
Anthony Trummer edited this page Jan 6, 2022
·
4 revisions
Shell’s openExternal() allows opening a given external protocol URI with the desktop’s native utilities. For instance, on macOS, this function is similar to the open terminal command utility and will open the specific application based on the URI and filetype association. When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands, as demonstrated by the following example:
const { shell } = require('electron')
shell.openExternal('file:///Applications/Calculator.app')Improper use of openExternal can be leveraged to compromise the user’s host. Electron’s Shell provides powerful primitives that must be used with caution.
Manually review all occurrences of openExternal to ensure that no user-supplied content can be injected without validation.