security: Code clean up.

security: Disable drag and drop in all the renderer process.
2025-10-29 11:03:31 +00:00 · 2018-03-22 16:18:00 +05:30 · 2018-03-22 14:15:19 +05:30 · 2018-03-22 14:02:16 +05:30 · 2018-03-22 13:54:10 +05:30 · 2018-03-22 13:49:47 +05:30
6 changed files with 55 additions and 27 deletions
--- a/app/renderer/about.html
+++ b/app/renderer/about.html
@@ -1,19 +1,23 @@
 <!DOCTYPE html>
 <html lang="en">
+
 <head>
 	<meta charset="UTF-8">
 	<link rel="stylesheet" href="css/about.css">
 </head>
+
 <body>
 	<div class="about">
 		<img class="logo" src="../resources/zulip.png" />
 		<p class="detail" id="version">v?.?.?</p>
 		<div class="maintenance-info">
 			<p class="detail maintainer">
-				Maintained by <a onclick="linkInBrowser('website')">Zulip</a>
+				Maintained by
+				<a onclick="linkInBrowser('website')">Zulip</a>
 			</p>
 			<p class="detail license">
-				Available under the <a onclick="linkInBrowser('license')">Apache 2.0 License</a>
+				Available under the
+				<a onclick="linkInBrowser('license')">Apache 2.0 License</a>
 			</p>
 			<a class="bug" onclick="linkInBrowser('bug')" href="#">Found bug?</a>
 		</div>
@@ -41,5 +45,6 @@
 			shell.openExternal(url);
 		}
 	</script>
+	<script>require('./js/shared/preventdrag.js')</script>
 </body>
 </html>
--- a/app/renderer/js/preload.js
+++ b/app/renderer/js/preload.js
@@ -8,6 +8,9 @@ const ConfigUtil = require(__dirname + '/utils/config-util.js');
 // eslint-disable-next-line import/no-unassigned-import
 require('./notification');

+// Prevent drag and drop event in main process which prevents remote code executaion
+require(__dirname + '/shared/preventdrag.js');
+
 const logout = () => {
 	// Create the menu for the below
 	document.querySelector('.dropdown-toggle').click();
--- a/app/renderer/js/shared/preventdrag.js
+++ b/app/renderer/js/shared/preventdrag.js
@@ -0,0 +1,17 @@
+'use strict';
+
+// This is a security fix. Following function prevents drag and drop event in the app
+// so that attackers can't execute any remote code within the app
+// It doesn't affect the compose box so that users can still
+// use drag and drop event to share files etc
+
+const preventDragAndDrop = () => {
+	const preventEvents = ['dragover', 'drop'];
+	preventEvents.forEach(dragEvents => {
+		document.addEventListener(dragEvents, event => {
+			event.preventDefault();
+		});
+	});
+};
+
+preventDragAndDrop();
--- a/app/renderer/main.html
+++ b/app/renderer/main.html
@@ -44,4 +44,5 @@
  </div>
 </body>
 <script src="js/main.js"></script>
+<script>require('./js/shared/preventdrag.js')</script>
 </html>
--- a/app/renderer/network.html
+++ b/app/renderer/network.html
@@ -18,4 +18,5 @@
    </div>
  </body>
  <script src="js/pages/network.js"></script>
+  <script>require('./js/shared/preventdrag.js')</script>
 </html>
--- a/app/renderer/preference.html
+++ b/app/renderer/preference.html
@@ -13,4 +13,5 @@
    </div>
  </body>
  <script src="js/pages/preference/preference.js"></script>
+  <script>require('./js/shared/preventdrag.js')</script>
 </html>
Author	SHA1	Message	Date
Akash Nimare	88058bdbc4	security: Code clean up.	2018-03-22 16:18:00 +05:30
Akash Nimare	ea6665cd10	security: Code clean up.	2018-03-22 14:15:19 +05:30
Akash Nimare	9dde6fb6e4	security: Disable drag and drop in all the renderer process. This prevents drag and drop in - * About * Network * Other renderer process WIP #453.	2018-03-22 14:02:16 +05:30
Akash Nimare	b4278ce860	security: Prevent drag and drop in the setting page. WIP #453.	2018-03-22 13:54:10 +05:30
Akash Nimare	a1e8d37da5	security: Prevent drag and drop event in main process. This stops a remote code execution via drag and drop event in the main process. WIP #453.	2018-03-22 13:49:47 +05:30