fix(security): Prevent arbitrary executable execution via VIRTUAL_ENV#242
Open
pranav-cholleti wants to merge 2 commits into
Open
fix(security): Prevent arbitrary executable execution via VIRTUAL_ENV#242pranav-cholleti wants to merge 2 commits into
pranav-cholleti wants to merge 2 commits into
Conversation
…ution via Environment Variable in `main.js` The `resolvePythonCmd` function currently relies on the `VIRTUAL_ENV` environment variable to locate the Python executable. This unchecked dependency allows an attacker to control the `VIRTUAL_ENV` variable, pointing it to a malicious executable. When `startFlaskServer` subsequently uses this `pythonCmd` in `child_process.spawn`, it executes the attacker-controlled program, leading to arbitrary code execution. The fix involves modifying `resolvePythonCmd` to prioritize a securely bundled Python interpreter in packaged Electron applications and only permit `VIRTUAL_ENV` usage during development, thus preventing malicious environment variable injection in production. Changes: - main.js: Replaced resolvePythonCmd with a secure version that checks app.isPackaged and bundles Python in production, preventing arbitrary executable execution via VIRTUAL_ENV.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🛠️ Related Issue
Closes: #236
📌 Description
This PR addresses a critical security vulnerability (CWE-73) in
main.jswhere the application was susceptible to arbitrary executable execution. TheresolvePythonCmdfunction previously used theVIRTUAL_ENVenvironment variable to locate the Python executable without sufficient validation. This allowed an attacker to potentially controlVIRTUAL_ENVand point it to a malicious executable, leading to arbitrary code execution whenchild_process.spawnwas invoked.To mitigate this, the
resolvePythonCmdfunction has been updated to prioritize a securely bundled Python interpreter when the Electron application is running in a packaged (production) environment. The use of theVIRTUAL_ENVenvironment variable is now strictly confined to development mode, preventing its exploitation in production deployments and ensuring that only trusted Python executables are launched by the application.✨ Changes Made
main.js: Updated theresolvePythonCmdfunction to differentiate between packaged (production) and development environments. In packaged applications, it now explicitly resolves the Python interpreter to a securely bundled version located withinprocess.resourcesPath. In development mode, it retains the existing logic forVIRTUAL_ENVand system Python, but this path is no longer used in production builds.