[GH-ISSUE #856] Potential Command Execution vulnerabilities introduced by main-preload.js #414

New issue

Closed

opened 2026-03-03 00:20:58 +03:00 by kerem · 2 comments

kerem commented 2026-03-03 00:20:58 +03:00

Owner

Copy link

Originally created by @xiaofen9 on GitHub (Mar 9, 2021).
Original GitHub issue: https://github.com/BoostIO/BoostNote-App/issues/856

Originally assigned to: @Rokt33r on GitHub.

Hi,

We found that static/main-preload.js introduces dangerous API openShellExternal for arbitrary access on unsafe renderer process.
This may lead to remote command execution.
We suggest that a URL check should be enforced at L15, which enforces an allowlist on trusted URLs.

github.com/BoostIO/BoostNote.next@a467dcb960/static/main-preload.js (L14-L17)

Originally created by @xiaofen9 on GitHub (Mar 9, 2021). Original GitHub issue: https://github.com/BoostIO/BoostNote-App/issues/856 Originally assigned to: @Rokt33r on GitHub. Hi, We found that `static/main-preload.js` introduces dangerous API openShellExternal for arbitrary access on unsafe renderer process. This may lead to remote command execution. We suggest that a URL check should be enforced at L15, which enforces an allowlist on trusted URLs. https://github.com/BoostIO/BoostNote.next/blob/a467dcb960531953040f26d09bd59a90c37a002e/static/main-preload.js#L14-L17

kerem 2026-03-03 00:20:58 +03:00

• closed this issue
• added the
  assigned to core 🦹
  security issue 🔑
  labels

kerem commented 2026-03-03 00:20:59 +03:00

Author

Owner

Copy link

@Rokt33r commented on GitHub (Aug 20, 2021):

Thanks for reporting. For now, it is okay since we're using the method with safe URLs only. So it won't cause any problems unless a user executing an arbitrary script from dev tools. But I'll make it safer for the case that someone makes a mistake.

@Komediruzecki This could be problematic for the local app since links in the markdown previewer are using this method without any URL filtering.

<!-- gh-comment-id:902389034 --> @Rokt33r commented on GitHub (Aug 20, 2021): Thanks for reporting. For now, it is okay since we're using the method with safe URLs only. So it won't cause any problems unless a user executing an arbitrary script from dev tools. But I'll make it safer for the case that someone makes a mistake. @Komediruzecki This could be problematic for the local app since links in the markdown previewer are using this method without any URL filtering.

kerem commented 2026-03-03 00:20:59 +03:00

Author

Owner

Copy link

@xiaofen9 commented on GitHub (Jun 4, 2022):

Fixed by https://github.com/BoostIO/BoostNote.next-local/pull/39

<!-- gh-comment-id:1146668347 --> @xiaofen9 commented on GitHub (Jun 4, 2022): Fixed by https://github.com/BoostIO/BoostNote.next-local/pull/39

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/npm_and_yarn/braintree/sanitize-url-and-mermaid-6.0.2

dependabot/npm_and_yarn/http-cache-semantics-4.1.1

dependabot/npm_and_yarn/json5-and-json5-and-json5-and-html-webpack-plugin-2.2.3

dependabot/npm_and_yarn/express-4.18.2

dependabot/npm_and_yarn/qs-6.5.3

dependabot/npm_and_yarn/decode-uri-component-0.2.2

dependabot/npm_and_yarn/electron-18.3.7

dependabot/npm_and_yarn/file-type-16.5.4

dependabot/npm_and_yarn/terser-4.8.1

dependabot/npm_and_yarn/got-11.8.5

dependabot/npm_and_yarn/jsdom-16.7.0

dependabot/npm_and_yarn/eventsource-1.1.1

feature/add-attachment-prompt-dialog

display-trial-length

feature/add-kanban-url-clickable

refactor/request-optimisation

refactor/align-endpoints

feature/improve-code-block-path-showcase

feature/fix-kanban-context-menu-on-long-title

fix/view-filters

automations/ast-impl

automations/input-typed-restrictions

automations/logs

automations/remove-env

ui/kanban-flex

feature/make-kanban-headers-sticky

feat/beta-automations

bug/navigation-view-selector

fix-ja

feature/add-evernote-migration

feature/fix-mock-handlers

feature/add-doc-drag-and-drop

feature/add-keymap-customization

feature/add-doc-save-status

feature/add-toolbar-in-edit-mode-select

bug/speed-improvement

blocks/input-streams

fix/blocks-beta-release

fix/workspace-visibility

pr/1090

fix/space-switcher-description

fix/migration-tab

feat/add-betaprogram-sidebar

feat/doc-page-renewal

ui-fix-shared

ui-settings-tmp

features/doc-props

feat/comments

ui-polish-settings

revert-917-reorganize-v2

ui-border-color

feat/doc-state-while-resync

fix/nav-tree

fix-descriptions

fix-description

ui/background-migration-text

ui-copy-btn

ui-timeline-header

bug/shared-collab-auth

ui-improve-sidebar

deprecated-web-app

v10

temp

ui-fix-border

lp-update-info

Flexo013/about/update_slack_2020

lp-update-boosthub

Flexo013-readme-mobile-links

improve-note-page2

legacy

gh-pages

cloud-1.58.4

cloud-1.57.1

cloud-1.57.0

cloud-1.56.5

cloud-1.56.4

cloud-1.56.3

cloud-1.56.2

cloud-1.56.1

cloud-1.56.0

cloud-1.55.1

cloud-1.55.0

cloud-1.54.5

cloud-1.54.6

cloud-1.54.4

cloud-1.54.3

cloud-1.54.1

cloud-1.54.2

cloud-1.54.0

cloud-1.53.9

cloud-1.53.8

cloud-1.53.6

cloud-1.53.5

cloud-1.53.4

cloud-1.53.3

cloud-1.53.1

cloud-1.53.0

cloud-1.52.6

cloud-1.52.7

v0.23.1

cloud-1.52.3

cloud-1.52.2

cloud-1.52.1

v0.23.0

cloud-1.52.0

cloud-1.51.3

cloud-1.51.2

cloud-1.51.1

cloud-1.51.0

cloud-1.50.7

cloud-1.50.6

cloud-1.50.5

cloud-1.50.4

cloud-1.50.3

cloud-1.50.1

v0.22.0

cloud-1.50.0

cloud-1.49.3

cloud-1.49.2

cloud-1.49.1

cloud-1.49.0

v0.21.2

v0.21.1

v0.21.0

v0.21.0-0

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.1

v0.18.0

v0.18.0-1

v0.18.0-0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.16.0-0

v0.15.1

v0.15.0

v0.15.0-0

v0.14.3

v0.14.3-0

v0.14.2

v0.14.2-1

v0.14.2-0

v0.14.1

v0.14.0

v0.14.0-1

v0.14.0-0

v0.13.2

v0.13.1

v0.13.0

v0.12.5-1

v0.12.5-0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.2

v0.10.1

v0.10.0

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.0

v0.6.1

v0.6.0

v0.5.0

v0.4.1

v0.4.0

v0.3.0

v0.2.1

v0.2.0

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.1.0-13

v0.1.0-12

v0.1.0-11

v0.1.0-10

v0.1.0-9

v0.1.0-8

v0.1.0-7

v0.1.0-6

v0.1.0-5

v0.1.0-4

v0.1.0-3

v0.1.0-2

v0.1.0-1

v0.1.0-0

v0.1.0-pre

Labels

Clear labels   

android 🤖

  

assigned to core 🦹

  

bug 🐛

  

documentation 📚

  

documentation 📚

  

duplicate 🚫

  

external issue 🔼

  

external issue 🔼

  

feature request 🌟

  

funded on issuehunt 💵

  

help wanted 🆘

  

improvement request 🔨

  

improvement request 🔨

  

ios 🍎

  

mobile 📱

  

needs investigation 🔬

  

needs more info ℹ️

  

needs specs 📐

  

plugin idea 🔌

  

plugin idea 🔌

  

poll 🗳️

  

pull-request

Mirrored from GitHub Pull Request

  

question ❓

  

rewarded on issuehunt 🎁

  

security issue 🔑

  

won’t fix ❌

No labels

android 🤖

assigned to core 🦹

bug 🐛

documentation 📚

documentation 📚

duplicate 🚫

external issue 🔼

external issue 🔼

feature request 🌟

funded on issuehunt 💵

help wanted 🆘

improvement request 🔨

improvement request 🔨

ios 🍎

mobile 📱

needs investigation 🔬

needs more info ℹ️

needs specs 📐

plugin idea 🔌

plugin idea 🔌

poll 🗳️

pull-request

question ❓

rewarded on issuehunt 🎁

security issue 🔑

won’t fix ❌

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/BoostNote-App#414

No description provided.