Indien die preload-skrip 'n IPC-eindpunt blootstel vanaf die main.js-lêer, sal die renderer-proses daartoe toegang hê en indien kwesbaar, kan 'n RCE moontlik wees.
Kyk hoe die main.js luister na getUpdate en sal enige URL aflaai en uitvoer wat deurgegee word.
Kyk ook hoe preload.jsenige IPC-gebeurtenis vanaf die hoofstuk blootstel.
// Part of code of main.jsipcMain.on('getUpdate', (event, url) => {console.log('getUpdate: '+ url)mainWindow.webContents.downloadURL(url)mainWindow.download_url = url});mainWindow.webContents.session.on('will-download', (event, item, webContents) => {console.log('downloads path='+app.getPath('downloads'))console.log('mainWindow.download_url='+mainWindow.download_url);url_parts =mainWindow.download_url.split('/')filename = url_parts[url_parts.length-1]mainWindow.downloadPath =app.getPath('downloads') +'/'+ filenameconsole.log('downloadPath='+mainWindow.downloadPath)// Set the save path, making Electron not to prompt a save dialog.item.setSavePath(mainWindow.downloadPath)item.on('updated', (event, state) => {if (state ==='interrupted') {console.log('Download is interrupted but can be resumed')}elseif (state ==='progressing') {if (item.isPaused()) console.log('Download is paused')elseconsole.log(`Received bytes: ${item.getReceivedBytes()}`)}})item.once('done', (event, state) => {if (state ==='completed') {console.log('Download successful, running update')fs.chmodSync(mainWindow.downloadPath,0755);var child =require('child_process').execFile;child(mainWindow.downloadPath,function(err, data) {if (err) { console.error(err); return; }console.log(data.toString());});}elseconsole.log(`Download failed: ${state}`)})})
// Part of code of preload.jswindow.electronSend= (event, data) => {ipcRenderer.send(event, data);};
Indien die voorlaai-skrip direk aan die renderer 'n manier blootstel om shell.openExternal aan te roep, is dit moontlik om RCE te verkry.
// Part of preload.js codewindow.electronOpenInBrowser= (url) => {shell.openExternal(url);};
Voorbeeld 3
Indien die preload-skrip maniere blootstel om heeltemal met die hoofproses te kommunikeer, sal 'n XSS enige gebeurtenis kan stuur. Die impak hiervan hang af van wat die hoofproses blootstel in terme van IPC.