Add ElectronShellOpenExternalSink class

Add ElectronShellOpenExternalSink class to detect untrusted input interpreted by `openExternal` function call in `electron` module. Based on the #14 Electron Security checklist: https://www.electronjs.org/docs/tutorial/security#14-do-not-use-openexternal-with-untrusted-content
2026-04-28 18:25:24 +02:00 · 2020-10-23 15:37:59 +02:00
parent 7993a83750
commit e87790b828
1 changed files with 11 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -138,4 +138,15 @@ module CodeInjection {
        API::moduleImport("module").getInstance().getMember("_compile").getACall().getArgument(0)
    }
  }
+
+  /**
+   * Improper use of openExternal can be leveraged to compromise the user's host.
+   * When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.
+   */
+  class ElectronShellOpenExternalSink extends Sink {
+    ElectronShellOpenExternalSink() {
+      this =
+        DataFlow::moduleMember("electron", "shell").getAMemberCall("openExternal").getArgument(0)
+    }
+  }
 }