44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve security by isolating code execution more

Browse Source 
This commit enhances application security against potential attacks by
isolating dependencies that access the host system (like file
operations) from the renderer process. It narrows the exposed
functionality to script execution only, adding an extra security layer.

The changes allow secure and scalable API exposure, preparing for future
functionalities such as desktop notifications for script errors (#264),
improved script execution handling (#296), and creating restore points
(#50) in a secure and repeatable way.

Changes include:

- Inject `CodeRunner` into Vue components via dependency injection.
- Move `CodeRunner` to the application layer as an abstraction for
  better domain-driven design alignment.
- Refactor `SystemOperations` and related interfaces, removing the `I`
  prefix.
- Update architecture documentation for clarity.
- Update return types in `NodeSystemOperations` to match the Node APIs.
- Improve `WindowVariablesProvider` integration tests for better error
  context.
- Centralize type checks with common functions like `isArray` and
  `isNumber`.
- Change `CodeRunner` to use `os` parameter, ensuring correct window
  variable injection.
- Streamline API exposure to the renderer process:
  - Automatically bind function contexts to prevent loss of original
    context.
  - Implement a way to create facades (wrapper/proxy objects) for
    increased security.
This commit is contained in:
undergroundwires
2023-12-18 17:30:56 +01:00
parent 940febc3e8
commit efa05f42bc
60 changed files with 939 additions and 423 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
SECURITY.md
View File

@@ -31,9 +31,9 @@ privacy.sexy adopts a defense in depth strategy to protect users on multiple lay
- **Content Security Policies (CSP):**
privacy.sexy actively follows security guidelines from the Open Web Application Security Project (OWASP) at strictest level.
This approach protects against attacks like Cross Site Scripting (XSS) and data injection.
- **Context Isolation:**
The desktop application isolates different code sections based on their access level.
This separation prevents attackers from introducing harmful code into the app, known as injection attacks.
- **Host System Access Control:**
The desktop application segregates code sections based on their access levels.
This provides a critical defense mechanism, prevents attackers from introducing harmful code into the app, known as injection attacks.
### Update Security and Integrity