EnablingNodeIntegration.qhelp

<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>

  <overview>
    <p>
	Enabling Node.js integration in web content renderers (BrowserWindow, BrowserView and webview) could result in 
	remote native code execution attacks when rendering malicious JavaScript code from untrusted remote web site or 
	code that is injected via a cross site scripting vulnerability into the web content under processing. Please note that
 	the nodeIntegration property is enabled by default in Electron and needs to be set to 'false' explicitly.
    </p>
  </overview>
  
  <recommendation>
    <p>
      Node.js integration should be disabled when loading remote web sites. If not possible, always set nodeIntegration property
      to 'false' before loading remote web sites and only enable it for whitelisted sites.
    </p>
  </recommendation>
  
  <example>
    <p>
      The following example shows insecure use of BrowserWindow with regards to <code>nodeIntegration</code>
      property:
    </p>
    <sample src="examples/DefaultNodeIntegration.js"/>

    <p>
      This is problematic, because default value of nodeIntegration is 'true'.
    </p>
    
  </example>
  
  <example>
    <p>
      The following example shows insecure and secure uses of <webview> tag:
    </p>
    <sample src="examples/WebViewNodeIntegration.html"/>
   
  </example>

  <example>
    <p>
      The following example shows insecure and secure uses of BrowserWindow and BrowserView when
      loading untrusted web sites:
    </p>
    <sample src="examples/EnablingNodeIntegration.js"/>
   
  </example>

  
  <references>
    <li>Electron Documentation: <a href="https://electronjs.org/docs/tutorial/security#2-disable-nodejs-integration-for-remote-content">Security, Native Capabilities, and Your Responsibility</a></li>
  </references>
</qhelp>