refactor(frontend): security improvements - remove inline style from HTML file, remove inline JS eval from main process, add additional security restrictions

Author: Madman10K

src/frontend/index.html

@@ -57,7 +57,7 @@
         </div>
         <div id='root-container' class='container'>
           <div id='ROOT'>
-            <div id="context-menu-container" style="display: none;"></div>
+            <div id="context-menu-container"></div>
             <div id='fixed-search'>
             </div>
             <section id="main">

src/frontend/index/install.nim

@@ -6,6 +6,8 @@ import
   ../[ types ],
   ../../common/[ paths, ct_logging ]
 
+from window import setupSecureContext
+
 type
   InstallResponseKind* {.pure.} = enum Ok, Problem, Dismissed
 
@@ -22,31 +24,33 @@ var
   process {.importc.}: js
 
 proc createInstallSubwindow*(): js =
-    let win = jsnew electron.BrowserWindow(
-      js{
-        "width": 700,
-        "height": 422,
-        "resizable": false,
-        "parent": mainWindow,
-        "modal": true,
-        "webPreferences": js{
-          "nodeIntegration": true,
-          "contextIsolation": false,
-          "spellcheck": false
-        },
-        "frame": false,
-        "transparent": false,
-        })
-
-    let url = "file://" & $codetracerExeDir & "/subwindow.html"
-    debugPrint "Attempting to load: ", url
-    win.loadURL(cstring(url))
-
-    let inDevEnv = nodeProcess.env[cstring"CODETRACER_DEV_TOOLS"] == cstring"1"
-    if inDevEnv:
-      electronDebug.devTools(win)
-
-    win.toJs
+  let win = jsnew electron.BrowserWindow(
+    js{
+      "width": 700,
+      "height": 422,
+      "resizable": false,
+      "parent": mainWindow,
+      "modal": true,
+      "webPreferences": js{
+        "nodeIntegration": true,
+        "contextIsolation": false,
+        "spellcheck": false
+      },
+      "frame": false,
+      "transparent": false,
+    }
+  )
+  setupSecureContext(win)
+
+  let url = $codetracerExeDir & "/subwindow.html"
+  debugPrint "Attempting to load: ", url
+  win.loadFile(url)
+
+  let inDevEnv = nodeProcess.env[cstring"CODETRACER_DEV_TOOLS"] == cstring"1"
+  if inDevEnv:
+    electronDebug.devTools(win)
+
+  win.toJs
 
 
 proc onInstallCt*(sender: js, response: js) {.async.} =

src/frontend/index/window.nim

@@ -36,6 +36,32 @@ proc onClose*(e: js) =
     mainWindow.webContents.send "CODETRACER::close", js{}
     close = true
 
+proc setupSecureContext*(win: JsObject) =
+  # Prevent opening new windows or popups
+  win.webContents.setWindowOpenHandler(proc: js =
+    return js{
+      "action": "deny"
+    }
+  )
+
+  # Disable webview tags
+  electron_vars.app.on(
+    "web-contents-created",
+    proc(evt: js, contents: js) =
+      contents.on("will-attach-webview", proc(event: js) =
+        event.preventDefault()
+      )
+  )
+
+  # Disable window navigation
+  win.on(
+    "will-navigate",
+    proc(e: js, url: js) =
+      let current = win.getURL()
+      if url != current:
+        e.preventDefault()
+  )
+
 proc createMainWindow*: js =
   when not defined(server):
     # TODO load from config
@@ -72,13 +98,16 @@ proc createMainWindow*: js =
 
     let win = jsnew electron.BrowserWindow(initInfo)
     win.on("maximize", proc() =
-      win.webContents.executeJavaScript("document.body.style.backgroundColor = 'black';"))
+      win.webContents.send "CODETRACER::maximize", js{}
+    )
     win.on("unmaximize", proc() =
-      win.webContents.executeJavaScript("document.body.style.backgroundColor = 'transparent';"))
+      win.webContents.send "CODETRACER::unmaximize", js{}
+    )
     win.maximize()
-    let url = "file://" & $codetracerExeDir & "/index.html"
 
-    win.loadURL(cstring(url))
+    let url = $codetracerExeDir & "/index.html"
+    win.loadFile(url)
+    setupSecureContext(win)
 
     win.on("close", onClose)
     # TODO: eventually add a shortcut and ipc message that lets us

src/frontend/styles/components/welcome_screen.styl

@@ -637,3 +637,6 @@
 
 .stylus-content
   width: 850px !important
+
+#context-menu-container
+  display: none

src/frontend/subwindow.html

@@ -1,20 +1,16 @@
 <!DOCTYPE html>
 <html>
-  <head>
-      <meta charset="UTF-8">
-      <title>Install Subwindow</title>
-
+    <head>
+        <meta charset="UTF-8">
+        <title>Install Subwindow</title>
         <link rel='stylesheet' href='frontend/styles/subwindow.css'>
-  </head>
-  <body>
-
-    <div id="ROOT"></div>
-
-    <script> 
-      window.electron = require('electron');
-      let inElectron = true
-    </script>
-    <script type="text/javascript" src="subwindow.js"></script>
-
-  </body>
+    </head>
+    <body>
+        <div id="ROOT"></div>
+        <script>
+            window.electron = require('electron');
+            window.inElectron = true
+        </script>
+        <script type="text/javascript" src="subwindow.js"></script>
+    </body>
 </html>

src/frontend/ui_js.nim

@@ -1212,6 +1212,11 @@ macro uiIpcHandlers*(namespace: static[string], messages: untyped): untyped =
     result.add(messageCode)
   # echo result.repr
 
+proc onMaximize(data: Data) =
+  jq("body").style.backgroundColor = cstring"black"
+proc onUnmaximize(data: Data) =
+  jq("body").style.backgroundColor = cstring"transparent"
+
 proc configureIPC(data: Data) =
   uiIpcHandlers("CODETRACER::"):
     # "new-record-window"
@@ -1305,6 +1310,9 @@ proc configureIPC(data: Data) =
     "dap-receive-response"
     "dap-receive-event"
 
+    "maximize"
+    "unmaximize"
+
   duration("configureIPCRun")
 
 proc zoomInEditors*(data: Data) =