chore: harden electron security

Author: abose

src-electron/config.js

@@ -0,0 +1,51 @@
+/**
+ * Centralized Configuration Module
+ *
+ * This module provides a single source of truth for all configuration values.
+ * It reads from package.json and can apply stage-wise transforms as needed.
+ *
+ * Usage:
+ *   const { stage, trustedElectronDomains, productName } = require('./config');
+ */
+
+const packageJson = require('./package.json');
+
+// Core package.json values
+const name = packageJson.name;
+const identifier = packageJson.identifier;
+const stage = packageJson.stage;
+const version = packageJson.version;
+const productName = packageJson.productName;
+const description = packageJson.description;
+
+// Security configuration
+const trustedElectronDomains = packageJson.trustedElectronDomains || [];
+
+/**
+ * Initialize configuration (call once at app startup if needed).
+ * Currently a no-op but can be extended for async config loading,
+ * environment variable overrides, or stage-wise transforms.
+ */
+function initConfig() {
+    // Future: Add stage-wise transforms, env overrides, etc.
+    // Example:
+    // if (stage === 'prod') {
+    //     // Apply production-specific config
+    // }
+}
+
+module.exports = {
+    // Package info
+    name,
+    identifier,
+    stage,
+    version,
+    productName,
+    description,
+
+    // Security
+    trustedElectronDomains,
+
+    // Initialization
+    initConfig
+};

src-electron/ipc-security.js

@@ -0,0 +1,90 @@
+/**
+ * IPC Security - Trusted Domain Validation
+ *
+ * This module implements security measures to ensure Electron APIs are only
+ * accessible from trusted origins. Trust is evaluated at window load/navigation
+ * time (not on every IPC call) for optimal performance.
+ *
+ * Trust rules:
+ * - Dev stage: trustedElectronDomains + all localhost URLs
+ * - Other stages (staging/prod): only trustedElectronDomains
+ */
+
+const { stage, trustedElectronDomains } = require('./config');
+
+// Track trusted webContents IDs (Set for O(1) lookup)
+const _trustedWebContents = new Set();
+
+/**
+ * Check if a URL is trusted based on stage configuration.
+ * - Dev stage: trustedElectronDomains + all localhost URLs
+ * - Other stages: only trustedElectronDomains
+ */
+function _isTrustedOrigin(url) {
+    if (!url) return false;
+
+    // Check against trustedElectronDomains
+    for (const domain of trustedElectronDomains) {
+        if (url.startsWith(domain)) {
+            return true;
+        }
+    }
+
+    // In dev stage, also allow localhost URLs
+    if (stage === 'dev') {
+        try {
+            const parsed = new URL(url);
+            if (parsed.hostname === 'localhost' || parsed.hostname === '127.0.0.1') {
+                return true;
+            }
+        } catch {
+            return false;
+        }
+    }
+
+    return false;
+}
+
+/**
+ * Mark a webContents as trusted/untrusted based on its current URL.
+ * Call this when window loads or navigates.
+ */
+function updateTrustStatus(webContents) {
+    const url = webContents.getURL();
+    if (_isTrustedOrigin(url)) {
+        _trustedWebContents.add(webContents.id);
+    } else {
+        _trustedWebContents.delete(webContents.id);
+    }
+}
+
+/**
+ * Remove trust tracking when webContents is destroyed.
+ */
+function cleanupTrust(webContentsId) {
+    _trustedWebContents.delete(webContentsId);
+}
+
+/**
+ * Fast check if webContents is trusted (O(1) lookup).
+ */
+function _isWebContentsTrusted(webContentsId) {
+    return _trustedWebContents.has(webContentsId);
+}
+
+/**
+ * Assert that IPC event comes from trusted webContents.
+ * Throws error if not trusted.
+ */
+function assertTrusted(event) {
+    if (!_isWebContentsTrusted(event.sender.id)) {
+        const url = event.senderFrame?.url || event.sender.getURL() || 'unknown';
+        throw new Error(`Blocked IPC from untrusted origin: ${url}`);
+    }
+}
+
+module.exports = {
+    updateTrustStatus,
+    cleanupTrust,
+    assertTrusted
+};

src-electron/main-app-ipc.js

@@ -10,7 +10,8 @@ const { app, ipcMain } = require('electron');
 const { spawn } = require('child_process');
 const readline = require('readline');
 const path = require('path');
-const { productName } = require('./package.json');
+const { productName } = require('./config');
+const { assertTrusted } = require('./ipc-security');
 
 let processInstanceId = 0;
 
@@ -73,6 +74,7 @@ function registerAppIpcHandlers() {
     // Spawn a child process and forward stdio to the calling renderer.
     // Returns an instanceId so the renderer can target the correct process.
     ipcMain.handle('spawn-process', async (event, command, args) => {
+        assertTrusted(event);
         const instanceId = ++processInstanceId;
         const sender = event.sender;
         console.log(`Spawning: ${command} ${args.join(' ')} (instance ${instanceId})`);
@@ -122,35 +124,41 @@ function registerAppIpcHandlers() {
 
     // Write data to a specific spawned process stdin
     ipcMain.handle('write-to-process', (event, instanceId, data) => {
+        assertTrusted(event);
         const instance = spawnedProcesses.get(instanceId);
         if (instance && !instance.terminated) {
             instance.process.stdin.write(data);
         }
     });
 
     ipcMain.handle('quit-app', (event, exitCode) => {
+        assertTrusted(event);
         console.log('Quit requested with exit code:', exitCode);
         // This will be handled by the main module's gracefulShutdown
         app.emit('quit-requested', exitCode);
     });
 
     ipcMain.on('console-log', (event, message) => {
+        assertTrusted(event);
         console.log('Renderer:', message);
     });
 
     // CLI args (mirrors Tauri's cli.getMatches for --quit-when-done / -q)
     // Filter out internal Electron args (main.js in dev mode)
-    ipcMain.handle('get-cli-args', () => {
+    ipcMain.handle('get-cli-args', (event) => {
+        assertTrusted(event);
         return filterCliArgs(process.argv);
     });
 
     // App path (repo root when running from source)
-    ipcMain.handle('get-app-path', () => {
+    ipcMain.handle('get-app-path', (event) => {
+        assertTrusted(event);
         return app.getAppPath();
     });
 
     // App name from package.json
-    ipcMain.handle('get-app-name', () => {
+    ipcMain.handle('get-app-name', (event) => {
+        assertTrusted(event);
         return productName;
     });
 }

src-electron/main-cred-ipc.js

@@ -1,5 +1,6 @@
 const { ipcMain } = require('electron');
 const crypto = require('crypto');
+const { assertTrusted } = require('./ipc-security');
 
 // Per-window AES trust map (mirrors Tauri's WindowAesTrust)
 // Uses webContents.id which persists across page reloads but changes when window is destroyed
@@ -18,6 +19,7 @@ const PHOENIX_CRED_PREFIX = 'phcode_electron_';
 function registerCredIpcHandlers() {
     // Trust window AES key - can only be called once per window
     ipcMain.handle('trust-window-aes-key', (event, key, iv) => {
+        assertTrusted(event);
         const webContentsId = event.sender.id;
 
         if (windowTrustMap.has(webContentsId)) {
@@ -39,6 +41,7 @@ function registerCredIpcHandlers() {
 
     // Remove trust - requires matching key/iv
     ipcMain.handle('remove-trust-window-aes-key', (event, key, iv) => {
+        assertTrusted(event);
         const webContentsId = event.sender.id;
         const stored = windowTrustMap.get(webContentsId);
 
@@ -55,6 +58,7 @@ function registerCredIpcHandlers() {
 
     // Store credential in system keychain
     ipcMain.handle('store-credential', async (event, scopeName, secretVal) => {
+        assertTrusted(event);
         if (!keytar) {
             throw new Error('keytar module not available.');
         }
@@ -64,6 +68,7 @@ function registerCredIpcHandlers() {
 
     // Get credential (encrypted with window's AES key)
     ipcMain.handle('get-credential', async (event, scopeName) => {
+        assertTrusted(event);
         if (!keytar) {
             throw new Error('keytar module not available.');
         }
@@ -93,6 +98,7 @@ function registerCredIpcHandlers() {
 
     // Delete credential from system keychain
     ipcMain.handle('delete-credential', async (event, scopeName) => {
+        assertTrusted(event);
         if (!keytar) {
             throw new Error('keytar module not available.');
         }

src-electron/main-fs-ipc.js

@@ -10,7 +10,8 @@ const { ipcMain, dialog, BrowserWindow } = require('electron');
 const path = require('path');
 const fsp = require('fs/promises');
 const os = require('os');
-const { identifier: APP_IDENTIFIER } = require('./package.json');
+const { identifier: APP_IDENTIFIER } = require('./config');
+const { assertTrusted } = require('./ipc-security');
 
 // Electron IPC only preserves Error.message when errors cross the IPC boundary (see
 // https://github.com/electron/electron/issues/24427). To preserve error.code for FS
@@ -47,25 +48,32 @@ function getAppDataDir() {
 
 function registerFsIpcHandlers() {
     // Directory APIs
-    ipcMain.handle('get-documents-dir', () => {
+    ipcMain.handle('get-documents-dir', (event) => {
+        assertTrusted(event);
         // Match Tauri's documentDir which ends with a trailing slash
         return path.join(os.homedir(), 'Documents') + path.sep;
     });
 
-    ipcMain.handle('get-home-dir', () => {
+    ipcMain.handle('get-home-dir', (event) => {
+        assertTrusted(event);
         // Match Tauri's homeDir which ends with a trailing slash
         const home = os.homedir();
         return home.endsWith(path.sep) ? home : home + path.sep;
     });
 
-    ipcMain.handle('get-temp-dir', () => {
+    ipcMain.handle('get-temp-dir', (event) => {
+        assertTrusted(event);
         return os.tmpdir();
     });
 
-    ipcMain.handle('get-app-data-dir', () => getAppDataDir());
+    ipcMain.handle('get-app-data-dir', (event) => {
+        assertTrusted(event);
+        return getAppDataDir();
+    });
 
     // Get Windows drive letters (returns null on non-Windows platforms)
-    ipcMain.handle('get-windows-drives', async () => {
+    ipcMain.handle('get-windows-drives', async (event) => {
+        assertTrusted(event);
         if (process.platform !== 'win32') {
             return null;
         }
@@ -86,26 +94,30 @@ function registerFsIpcHandlers() {
 
     // Dialogs
     ipcMain.handle('show-open-dialog', async (event, options) => {
+        assertTrusted(event);
         const win = BrowserWindow.fromWebContents(event.sender);
         const result = await dialog.showOpenDialog(win, options);
         return result.filePaths;
     });
 
     ipcMain.handle('show-save-dialog', async (event, options) => {
+        assertTrusted(event);
         const win = BrowserWindow.fromWebContents(event.sender);
         const result = await dialog.showSaveDialog(win, options);
         return result.filePath;
     });
 
     // FS operations
     ipcMain.handle('fs-readdir', async (event, dirPath) => {
+        assertTrusted(event);
         return fsResult(
             fsp.readdir(dirPath, { withFileTypes: true })
                 .then(entries => entries.map(e => ({ name: e.name, isDirectory: e.isDirectory() })))
         );
     });
 
     ipcMain.handle('fs-stat', async (event, filePath) => {
+        assertTrusted(event);
         return fsResult(
             fsp.stat(filePath).then(stats => ({
                 isFile: stats.isFile(),
@@ -122,12 +134,30 @@ function registerFsIpcHandlers() {
         );
     });
 
-    ipcMain.handle('fs-mkdir', (event, dirPath, options) => fsResult(fsp.mkdir(dirPath, options)));
-    ipcMain.handle('fs-unlink', (event, filePath) => fsResult(fsp.unlink(filePath)));
-    ipcMain.handle('fs-rmdir', (event, dirPath, options) => fsResult(fsp.rm(dirPath, options)));
-    ipcMain.handle('fs-rename', (event, oldPath, newPath) => fsResult(fsp.rename(oldPath, newPath)));
-    ipcMain.handle('fs-read-file', (event, filePath) => fsResult(fsp.readFile(filePath)));
-    ipcMain.handle('fs-write-file', (event, filePath, data) => fsResult(fsp.writeFile(filePath, Buffer.from(data))));
+    ipcMain.handle('fs-mkdir', (event, dirPath, options) => {
+        assertTrusted(event);
+        return fsResult(fsp.mkdir(dirPath, options));
+    });
+    ipcMain.handle('fs-unlink', (event, filePath) => {
+        assertTrusted(event);
+        return fsResult(fsp.unlink(filePath));
+    });
+    ipcMain.handle('fs-rmdir', (event, dirPath, options) => {
+        assertTrusted(event);
+        return fsResult(fsp.rm(dirPath, options));
+    });
+    ipcMain.handle('fs-rename', (event, oldPath, newPath) => {
+        assertTrusted(event);
+        return fsResult(fsp.rename(oldPath, newPath));
+    });
+    ipcMain.handle('fs-read-file', (event, filePath) => {
+        assertTrusted(event);
+        return fsResult(fsp.readFile(filePath));
+    });
+    ipcMain.handle('fs-write-file', (event, filePath, data) => {
+        assertTrusted(event);
+        return fsResult(fsp.writeFile(filePath, Buffer.from(data)));
+    });
 }
 
 module.exports = {