Skip to content

SDA-5364 - Fix argument injection / Workaround for H1 #3770918#2545

Open
KiranNiranjan wants to merge 4 commits into
finos:mainfrom
KiranNiranjan:SDA-5364
Open

SDA-5364 - Fix argument injection / Workaround for H1 #3770918#2545
KiranNiranjan wants to merge 4 commits into
finos:mainfrom
KiranNiranjan:SDA-5364

Conversation

@KiranNiranjan

Copy link
Copy Markdown
Member

Description

  • Fix / Workaround for H1 #3770918

Change Summary

  1. publisherName value: Must match the Subject CN on the production Authenticode cert to prevent updates from silently disabling signer verification.
  2. isTrustedSenderFrame policy: Restricts to file:// + about:blank. Any internal window using DOM injection or dev-tools must use file:// or be whitelisted.
  3. URL resolution reorder: Moved the this.url config/override setup to run before new BrowserWindow(...) instead of after.
  4. --url= An empty podWhitelist now rejects CLI --url= overrides with a warning instead of accepting them.
  5. additionalArguments propagation: Only the main window's preload context gets --initial-url=. Secondary windows (notifications, welcome, etc.) use file:// and pass isTrustedSenderFrame.
  6. chrome-flags -- break: setChromeFlags passes through process.argv. Config-file chromeFlags joined via chromeFlagsSplitter cannot contain a bare -- token.
  7. reports-handler.ts regex tightening: Strips / and \ from filenames, flattening subdirectory paths (e.g., mana/console.log becomes mana_console.log).

Breaking changes

  • The IPC isTrustedSenderFrame check is the most behavior-affecting change.
  • --url= arg is breaking change for anyone whose deploy relies on podWhitelist: [] to permit CLI URL overrides. they must add explicit whitelist entries in podWhitelist.
  • publisherName is set to Symphony Communication Services LLC and need to verify CN & autoupdate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant