npm - @stlite/desktop - Versions diffs - 0.21.2 → 0.21.3 - Mend

@stlite/desktop 0.21.2 → 0.21.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -25,8 +25,8 @@ Convert your [Streamlit](https://streamlit.io/) application into a desktop app w
      },
      "devDependencies": {
        "@stlite/desktop": "^0.21.0",
-       "electron": "20.2.0",
-       "electron-builder": "^23.3.3"
+       "electron": "^22.0.0",
+       "electron-builder": "^23.6.0"
      }
    }
    ```
@@ -49,3 +49,12 @@ Convert your [Streamlit](https://streamlit.io/) application into a desktop app w
    - This command is just a wrapper of `electron` command as you can see at the `"scripts"` field in the `package.json`. It launches Electron and starts the app with `./build/electron/main.js`, which is specified at the `"main"` field in the `package.json`.
 9. Run `npm run dist` or `yarn dist` for packaging.
    - This command bundles the `./build` directory created in the step above into application files (`.app`, `.exe`, `.dmg` etc.) in the `./dist` directory. To customize the built app, e.g. setting the icon, follow the [`electron-builder`](https://www.electron.build/) instructions.
+## Use the latest version of Electron
+To make your app secure, be sure to use the latest version of Electron.
+This is [announced](https://www.electronjs.org/docs/latest/tutorial/security#16-use-a-current-version-of-electron) as one of the security best practices in the Electron document too.
+## Limitations
+- Navigation to external resources like `st.markdown("[link](https://streamlit.io/)")` does not work for security. See https://github.com/whitphx/stlite/pull/445 and let us know if you have use cases where you have to use such external links.

package/build/electron/main.js CHANGED Viewed

@@ -18,31 +18,48 @@ const createWindow = () => {
         height: 720,
         webPreferences: {
             preload: path.join(__dirname, "preload.js"),
+            sandbox: true, // https://www.electronjs.org/docs/latest/tutorial/security#4-enable-process-sandboxing
         },
     });
+    const indexUrl = electron_1.app.isPackaged || process.env.NODE_ENV === "production"
+        ? "file:///index.html"
+        : "http://localhost:3000/";
+    // Check the IPC sender in every callback below,
+    // following the security best practice, "17. Validate the sender of all IPC messages."
+    // https://www.electronjs.org/docs/latest/tutorial/security#17-validate-the-sender-of-all-ipc-messages
+    const isValidIpcSender = (frame) => {
+        return frame.url === indexUrl;
+    };
     electron_1.ipcMain.handle("readSitePackagesSnapshot", (ev) => {
+        if (!isValidIpcSender(ev.senderFrame)) {
+            throw new Error("Invalid IPC sender");
+        }
         // This archive file has to be created by ./bin/dump_snapshot.ts
         const archiveFilePath = path.resolve(__dirname, "../site-packages-snapshot.tar.gz");
         return fsPromises.readFile(archiveFilePath);
     });
     electron_1.ipcMain.handle("readStreamlitAppDirectory", async (ev) => {
+        if (!isValidIpcSender(ev.senderFrame)) {
+            throw new Error("Invalid IPC sender");
+        }
         const streamlitAppDir = path.resolve(__dirname, "../streamlit_app");
         return (0, file_1.walkRead)(streamlitAppDir);
     });
-    if (electron_1.app.isPackaged || process.env.NODE_ENV === "production") {
-        // Use .loadURL() with an absolute URL based on "/" instead of .loadFile()
-        // because absolute URLs with the file:// scheme will be resolved
-        // to absolute file paths based on the special handler
-        // registered through `interceptFileProtocol` below.
-        mainWindow.loadURL("file:///index.html");
-    }
-    else {
-        mainWindow.loadURL("http://localhost:3000");
-    }
+    // Even when the entrypoint is a local file like the production build,
+    // we use .loadURL() with an absolute URL with the `file://` schema
+    // instead of passing a file path to .loadFile()
+    // because absolute URLs with the file:// scheme will be resolved
+    // to absolute file paths based on the special handler
+    // registered through `interceptFileProtocol` below.
+    mainWindow.loadURL(indexUrl);
     if (!electron_1.app.isPackaged) {
         mainWindow.webContents.openDevTools();
     }
 };
+// Enable process sandboxing globally (https://www.electronjs.org/docs/latest/tutorial/sandbox#enabling-the-sandbox-globally),
+// following the security best practice, "4. Enable process sandboxing."
+// https://www.electronjs.org/docs/latest/tutorial/security#4-enable-process-sandboxing
+electron_1.app.enableSandbox();
 // This method will be called when Electron has finished
 // initialization and is ready to create browser windows.
 // Some APIs can only be used after this event occurs.
@@ -77,3 +94,36 @@ electron_1.app.on("window-all-closed", () => {
     if (process.platform !== "darwin")
         electron_1.app.quit();
 });
+electron_1.app.on("web-contents-created", (event, contents) => {
+    // Intercepts webView creation events and forbid all,
+    // following the security best practice, "12. Verify WebView options before creation."
+    // https://www.electronjs.org/docs/latest/tutorial/security#12-verify-webview-options-before-creation
+    contents.on("will-attach-webview", (event, webPreferences, params) => {
+        // Cancels all webView creation request
+        event.preventDefault();
+    });
+    // Intercepts navigation and forbid all,
+    // following the security best practice, "13. Disable or limit navigation."
+    // https://www.electronjs.org/docs/latest/tutorial/security#13-disable-or-limit-navigation
+    contents.on("will-navigate", (event, navigationUrl) => {
+        console.debug("will-navigate", navigationUrl);
+        event.preventDefault();
+    });
+    // Limit new windows creation,
+    // following the security best practice, "14. Disable or limit creation of new windows."
+    // https://www.electronjs.org/docs/latest/tutorial/security#14-disable-or-limit-creation-of-new-windows
+    contents.setWindowOpenHandler(({ url }) => {
+        console.error("Opening a new window is not allowed.");
+        // TODO: Implement `isSafeForExternalOpen()` below with a configurable allowed list.
+        // We'll ask the operating system
+        // to open this event's url in the default browser.
+        // DON'T pass an arbitrary URL to `shell.openExternal()` here
+        // as advised at "15. Do not use shell.openExternal with untrusted content."
+        // if (isSafeForExternalOpen(url)) {
+        //   setImmediate(() => {
+        //     shell.openExternal(url)
+        //   })
+        // }
+        return { action: "deny" };
+    });
+});

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@stlite/desktop",
-  "version": "0.21.2",
+  "version": "0.21.3",
   "license": "Apache-2.0",
   "homepage": "/",
   "main": "./build/electron/main.js",
@@ -57,8 +57,8 @@
   },
   "devDependencies": {
     "@craco/craco": "^6.1.2",
-    "@stlite/common": "^0.21.2",
-    "@stlite/kernel": "^0.21.2",
+    "@stlite/common": "^0.21.3",
+    "@stlite/kernel": "^0.21.3",
     "@testing-library/react": "^11.2.7",
     "@testing-library/user-event": "^13.1.9",
     "@types/jest": "^26.0.19",
@@ -66,8 +66,8 @@
     "@types/react": "^17.0.7",
     "@types/react-dom": "^17.0.5",
     "@types/yargs": "^17.0.13",
-    "electron": "20.2.0",
-    "electron-builder": "^23.3.3",
+    "electron": "^22.0.0",
+    "electron-builder": "^23.6.0",
     "electron-reload": "^2.0.0-alpha.1",
     "esbuild": "^0.16.6",
     "raw-loader": "^4.0.2",