contrib.nodejsscan.security_electronjs.electron_nodejs_integration

returntocorp

Author

Download Count*

License

Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: electron_nodejs_integration
    patterns:
      - pattern-either:
          - pattern: |
              new BrowserWindow({webPreferences: {nodeIntegration: true}});
          - pattern: |
              var $X = {webPreferences: {nodeIntegration: true}};
    message: Node integration exposes node.js APIs to the electron app and this can
      introduce remote code execution vulnerabilities to the application if the
      app is vulnerable to Cross Site Scripting (XSS).
    languages:
      - javascript
    severity: WARNING
    metadata:
      owasp: A06:2017 - Security Misconfiguration
      cwe: "CWE-272: Least Privilege Violation"
      category: security
      technology:
        - electron
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Short Link: https://sg.run/0QDq