JavaScript

JavaScript

Made by DeepSource

Insecure node integration preferences found in Electron JS-S1019

Security
Critical
a03 sans top 25 owasp top 10 cwe-94

The nodeIntegration option in Electron is used to control whether or not the renderer process has access to the Node.js APIs. By default, the nodeIntegration option is set to false, which means that the renderer process does not have access to the Node.js APIs. Similarly, the nodeIntegrationInWorker option is also by default set to false, so that Electron Web Workers do not have access to the Node.js APIs.

This helps prevent malicious code from executing in the renderer process and accessing sensitive system resources.

A cross-site-scripting (XSS) attack is more dangerous if the attacker can exit the renderer process and execute code on the user's computer. Cross-site-scripting attacks are usually limited to disrupting the website on which they are executed. However, Disabling Node.js integration helps prevent an XSS from escalating into a Remote Code Execution(RCE) attack.

If your use case still requires you to enable nodeIntegration or nodeIntegrationInWorker, be sure to audit that your application does not execute code from untrusted sources.

Bad Practice

const { BrowserWindow } = require('electron')
const mainWindow = new BrowserWindow({
  webPreferences: {
    nodeIntegration: true, // `nodeIntegration` should not be set to false
    nodeIntegrationInWorker: true // `nodeIntegrationInWorker` should not be set to true
  }
})

Recommended

const { BrowserWindow } = require('electron')
const mainWindow = new BrowserWindow({
  // alternatively: Do not set these properties in the preferences object, as they're configured correctly by default.
  webPreferences: {
    nodeIntegration: false,
    nodeIntegrationInWorker: false
  }
})

References