security: Code clean up.

security: Disable drag and drop in all the renderer process.
2025-10-23 03:31:56 +00:00 · 2018-03-22 16:18:00 +05:30 · 2018-03-22 14:15:19 +05:30 · 2018-03-22 14:02:16 +05:30 · 2018-03-22 13:54:10 +05:30 · 2018-03-22 13:49:47 +05:30
6 changed files with 55 additions and 27 deletions
--- a/app/renderer/about.html
+++ b/app/renderer/about.html
@@ -1,45 +1,50 @@
 <!DOCTYPE html>
 <html lang="en">
-	<head>
-		<meta charset="UTF-8">
-		<link rel="stylesheet" href="css/about.css">
-	</head>
-	<body>
+
+<head>
+	<meta charset="UTF-8">
+	<link rel="stylesheet" href="css/about.css">
+</head>
+
+<body>
 	<div class="about">
 		<img class="logo" src="../resources/zulip.png" />
 		<p class="detail" id="version">v?.?.?</p>
 		<div class="maintenance-info">
 			<p class="detail maintainer">
-				Maintained by <a onclick="linkInBrowser('website')">Zulip</a>
+				Maintained by
+				<a onclick="linkInBrowser('website')">Zulip</a>
 			</p>
 			<p class="detail license">
-				Available under the <a onclick="linkInBrowser('license')">Apache 2.0 License</a>
+				Available under the
+				<a onclick="linkInBrowser('license')">Apache 2.0 License</a>
 			</p>
 			<a class="bug" onclick="linkInBrowser('bug')" href="#">Found bug?</a>
 		</div>
 	</div>
 	<script>

-	const { app } = require('electron').remote;
-	const { shell } = require('electron');
-	const version_tag = document.querySelector('#version');
-	version_tag.innerHTML = 'v' + app.getVersion();
+		const { app } = require('electron').remote;
+		const { shell } = require('electron');
+		const version_tag = document.querySelector('#version');
+		version_tag.innerHTML = 'v' + app.getVersion();

-	function linkInBrowser(type) {
-		let url;
-		switch (type) {
-			case 'website': 
-				url = "https://zulipchat.com";
-				break;
-			case 'license': 
-				url = "https://github.com/zulip/zulip-electron/blob/master/LICENSE";
-				break;
-			default:
-				url = 'https://github.com/zulip/zulip-electron/issues/new?body=' + 
-				      '%3C!--Please%20describe%20your%20issue%20and%20steps%20to%20reproduce%20it.--%3E';
+		function linkInBrowser(type) {
+			let url;
+			switch (type) {
+				case 'website':
+					url = "https://zulipchat.com";
+					break;
+				case 'license':
+					url = "https://github.com/zulip/zulip-electron/blob/master/LICENSE";
+					break;
+				default:
+					url = 'https://github.com/zulip/zulip-electron/issues/new?body=' +
+						'%3C!--Please%20describe%20your%20issue%20and%20steps%20to%20reproduce%20it.--%3E';
+			}
+			shell.openExternal(url);
 		}
-		shell.openExternal(url);
-	}
 	</script>
-	</body>
+	<script>require('./js/shared/preventdrag.js')</script>
+</body>
 </html>
--- a/app/renderer/js/preload.js
+++ b/app/renderer/js/preload.js
@@ -8,6 +8,9 @@ const ConfigUtil = require(__dirname + '/utils/config-util.js');
 // eslint-disable-next-line import/no-unassigned-import
 require('./notification');

+// Prevent drag and drop event in main process which prevents remote code executaion
+require(__dirname + '/shared/preventdrag.js');
+
 const logout = () => {
 	// Create the menu for the below
 	document.querySelector('.dropdown-toggle').click();
--- a/app/renderer/js/shared/preventdrag.js
+++ b/app/renderer/js/shared/preventdrag.js
@@ -0,0 +1,17 @@
+'use strict';
+
+// This is a security fix. Following function prevents drag and drop event in the app
+// so that attackers can't execute any remote code within the app
+// It doesn't affect the compose box so that users can still
+// use drag and drop event to share files etc
+
+const preventDragAndDrop = () => {
+	const preventEvents = ['dragover', 'drop'];
+	preventEvents.forEach(dragEvents => {
+		document.addEventListener(dragEvents, event => {
+			event.preventDefault();
+		});
+	});
+};
+
+preventDragAndDrop();
--- a/app/renderer/main.html
+++ b/app/renderer/main.html
@@ -44,4 +44,5 @@
  </div>
 </body>
 <script src="js/main.js"></script>
+<script>require('./js/shared/preventdrag.js')</script>
 </html>
--- a/app/renderer/network.html
+++ b/app/renderer/network.html
@@ -17,5 +17,6 @@
      <div id="reconnect">Try now</div>
    </div>
  </body>
-  <script src="js/pages/network.js"></script>  
+  <script src="js/pages/network.js"></script>
+  <script>require('./js/shared/preventdrag.js')</script>
 </html>
--- a/app/renderer/preference.html
+++ b/app/renderer/preference.html
@@ -13,4 +13,5 @@
    </div>
  </body>
  <script src="js/pages/preference/preference.js"></script>
+  <script>require('./js/shared/preventdrag.js')</script>
 </html>
Author	SHA1	Message	Date
Akash Nimare	88058bdbc4	security: Code clean up.	2018-03-22 16:18:00 +05:30
Akash Nimare	ea6665cd10	security: Code clean up.	2018-03-22 14:15:19 +05:30
Akash Nimare	9dde6fb6e4	security: Disable drag and drop in all the renderer process. This prevents drag and drop in - * About * Network * Other renderer process WIP #453.	2018-03-22 14:02:16 +05:30
Akash Nimare	b4278ce860	security: Prevent drag and drop in the setting page. WIP #453.	2018-03-22 13:54:10 +05:30
Akash Nimare	a1e8d37da5	security: Prevent drag and drop event in main process. This stops a remote code execution via drag and drop event in the main process. WIP #453.	2018-03-22 13:49:47 +05:30