[Security] Disable nodeIntegration

[xmedeko]

Disable nodeIntegration - see

Rocket.Chat.Electron/src/ui/main/rootWindow.ts

Line 31 in 3b2d0aa

nodeIntegration: true,

Together with bug RocketChat/Rocket.Chat#20543 it's a serious security threat!

Update: I see the main window has nodeIntegration disabled, so it's seems OK

Rocket.Chat.Electron/src/ui/main/serverView/index.ts

Line 148 in 3b2d0aa

webPreferences.nodeIntegration = false;

[xmedeko]

Note: the attacker has access to window.RocketChatDesktop and window.JitsiMeetElectron. So, he can e.g. create a desktop notification, and other stuff there. Which is a security issue but do not know it's severity.

[robbyoconnor]

Why is this not happening on https://open.rocket.chat?

[xmedeko]

@robbyoconnor This issue is about security consequences of RocketChat/Rocket.Chat#20543 in Electron app. For the browser, this issue is inconvenient but has not such security implications.

[robbyoconnor]

@robbyoconnor This issue is about security consequences of RocketChat/Rocket.Chat#20543 in Electron app. For the browser, this issue is inconvenient but has not such security implications.

I understand. I'm trying to understand why it doesn't happen on RC's server.