Proverite kako main.js osluškuje getUpdate i preuzima i izvršava bilo koji URL koji se prosledi.
Takođe proverite kako preload.jsizlaže bilo koji IPC događaj iz main-a.
// Part of code of main.jsipcMain.on('getUpdate', (event, url) => {console.log('getUpdate: '+ url)mainWindow.webContents.downloadURL(url)mainWindow.download_url = url});mainWindow.webContents.session.on('will-download', (event, item, webContents) => {console.log('downloads path='+app.getPath('downloads'))console.log('mainWindow.download_url='+mainWindow.download_url);url_parts =mainWindow.download_url.split('/')filename = url_parts[url_parts.length-1]mainWindow.downloadPath =app.getPath('downloads') +'/'+ filenameconsole.log('downloadPath='+mainWindow.downloadPath)// Set the save path, making Electron not to prompt a save dialog.item.setSavePath(mainWindow.downloadPath)item.on('updated', (event, state) => {if (state ==='interrupted') {console.log('Download is interrupted but can be resumed')}elseif (state ==='progressing') {if (item.isPaused()) console.log('Download is paused')elseconsole.log(`Received bytes: ${item.getReceivedBytes()}`)}})item.once('done', (event, state) => {if (state ==='completed') {console.log('Download successful, running update')fs.chmodSync(mainWindow.downloadPath,0755);var child =require('child_process').execFile;child(mainWindow.downloadPath,function(err, data) {if (err) { console.error(err); return; }console.log(data.toString());});}elseconsole.log(`Download failed: ${state}`)})})
// Part of code of preload.jswindow.electronSend= (event, data) => {ipcRenderer.send(event, data);};
Ako preload skripta direktno omogući rendereru da pozove shell.openExternal, moguće je dobiti RCE.
// Part of preload.js codewindow.electronOpenInBrowser= (url) => {shell.openExternal(url);};
Primer 3
Ako preload skripta otkriva načine za potpunu komunikaciju sa glavnim procesom, XSS će moći da pošalje bilo koji događaj. Uticaj ovoga zavisi od toga šta glavni proces otkriva u pogledu IPC-a.
