### Install dependencies Source: https://github.com/doyensec/electronegativity/blob/master/docs/resources/DOCUMENTATION.md Install the required conversion tools via npm and apt. Ensure the wkhtmltopdf version is sufficient for rendering. ```sh sudo npm install -g github-wikito-converter sudo apt-get install wkhtmltopdf ``` -------------------------------- ### Install Electronegativity Source: https://github.com/doyensec/electronegativity/blob/master/README.md Install the Electronegativity tool globally using NPM. This command makes the `electronegativity` CLI available on your system. ```bash npm install @doyensec/electronegativity -g ``` -------------------------------- ### Install Electronegativity Globally Source: https://github.com/doyensec/electronegativity/wiki/Home Install the Electronegativity tool globally using NPM. This makes the command-line interface available system-wide. ```sh $ npm install @doyensec/electronegativity -g ``` -------------------------------- ### Build and Run Electronegativity Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Commands to install dependencies, build the project, and display help information. ```bash $ npm ci # So we have a deterministic, repeatable build $ npm run build $ node dist/index.js -h ``` -------------------------------- ### Enable Node Integration in BrowserWindow Source: https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_JS_CHECK This example shows how `nodeIntegration` is enabled by default or explicitly set to true. Ensure this is disabled for untrusted origins. ```javascript mainWindow = new BrowserWindow({ "webPreferences": { "nodeIntegration": true, "nodeIntegrationInWorker": 1 } }); ``` ```javascript const mainWindow = new BrowserWindow(); ``` -------------------------------- ### Identify insecure webview source Source: https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_HTML_CHECK Example of an insecure webview tag loading content over HTTP. ```xml ``` -------------------------------- ### Configure Node Integration Security Source: https://context7.com/doyensec/electronegativity/llms.txt Examples of insecure and secure configurations for Electron's nodeIntegration settings. ```javascript // INSECURE: nodeIntegration enabled (default before Electron 5) const mainWindow = new BrowserWindow({ webPreferences: { nodeIntegration: true, // FLAGGED: HIGH severity nodeIntegrationInWorker: true // FLAGGED: enables Node in workers } }); // INSECURE: Missing webPreferences (uses insecure defaults pre-v5) const win = new BrowserWindow(); // FLAGGED if Electron < 5 // SECURE: Explicitly disable node integration const secureWindow = new BrowserWindow({ webPreferences: { nodeIntegration: false, nodeIntegrationInWorker: false, nodeIntegrationInSubFrames: false, contextIsolation: true, sandbox: true } }); ``` -------------------------------- ### Audit Insecure HTTP Loads in Electron Source: https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_JS_CHECK Look for instances where resources are loaded using plain-text HTTP. This example demonstrates how to identify such occurrences in your Electron application's code. ```javascript const win = new BrowserWindow({...}); win.loadURL('http://example.com/'); ``` -------------------------------- ### HTML Webview with Affinity Source: https://github.com/doyensec/electronegativity/wiki/AFFINITY_GLOBAL_CHECK Example of an HTML webview tag using the `affinity` attribute. Ensure `webPreferences` are consistent when using shared affinity. ```html ``` -------------------------------- ### Disable `nodeIntegration` with `will-attach-webview` Source: https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_ATTACH_EVENT_JS_CHECK Use the `will-attach-webview` event to audit and enforce `nodeIntegration` settings for webviews. This example disables `nodeIntegration` and prevents loading URLs that do not start with `https://doyensec.com/`. ```javascript app.on('web-contents-created', (event, contents) => { contents.on('will-attach-webview', (event, webPreferences, params) => { // Strip away preload scripts if unused // Alternatively, verify their location if legitimate delete webPreferences.preload delete webPreferences.preloadURL // Disable node integration webPreferences.nodeIntegration = false // Verify URL being loaded if (!params.src.startsWith('https://doyensec.com/')) { event.preventDefault() } }) }) ``` -------------------------------- ### Implement Custom Permission Handler Source: https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_JS_CHECK Configure a custom permission request handler to control access to specific permissions, such as 'openExternal', based on the origin of the request. This example denies 'openExternal' permission for any URL other than 'https://doyensec.com'. ```javascript ses.setPermissionRequestHandler((webContents, permission, callback) => { if (webContents.getURL() !== 'https: //doyensec.com' && permission === 'openExternal') { return callback(false) } else { return callback(true) } }) ``` -------------------------------- ### Identify Deprecated and Changed Electron APIs Source: https://context7.com/doyensec/electronegativity/llms.txt Provides examples of Electron API usage that are flagged during version upgrade checks. This includes deprecated APIs (e.g., app.allowRendererProcessReuse in v8) and APIs with changed behavior (e.g., ipcRenderer.send serialization). ```javascript // Example: Deprecated in Electron 8 app.allowRendererProcessReuse = false; // FLAGGED with -u 7..8 // Example: Removed in Electron 7 webFrame.setIsolatedWorldContentSecurityPolicy(1, csp); // FLAGGED with -u 6..7 // Example: Changed in Electron 8 ipcRenderer.send(channel, ...args); // Reviewed for serialization changes ``` -------------------------------- ### Get Electron Session Source: https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_JS_CHECK Access the session object from a BrowserWindow instance to interact with session-related functionalities like user agent retrieval. ```javascript win = new BrowserWindow() win.loadURL('https://doyensec.com') ses = win.webContents.session console.log(ses.getUserAgent()) ``` -------------------------------- ### Audit BrowserWindow WebPreferences for enableBlinkFeatures Source: https://github.com/doyensec/electronegativity/wiki/BLINK_FEATURES_JS_CHECK Search for `blinkFeatures` or `enableBlinkFeatures` flags set to true within the `webPreferences` of `BrowserWindow`. This example shows how to audit for the `CSSVariables` feature. ```javascript mainWindow = new BrowserWindow({ "webPreferences": { "enableBlinkFeatures": "CSSVariables" } }); ``` -------------------------------- ### Generate the User Manual PDF Source: https://github.com/doyensec/electronegativity/blob/master/docs/resources/DOCUMENTATION.md Execute the conversion command from the docs/resources directory to create the PDF manual. ```sh gwtc -f pdf -n ../manual/ElectronegativityUserManual_v1.x.x -t "Electronegativity

User Manual - March 2019

" --logo-img ./img/logo.svg --footer "Electronegativity © 2017-2019 Doyensec LLC" --toc ../../electronegativity.wiki/Home.md --css ./electronegativitywiki.css --pdf-page-count ../../electronegativity.wiki/ ``` -------------------------------- ### Electronegativity CLI Help Source: https://github.com/doyensec/electronegativity/blob/master/README.md Display the help information for the Electronegativity command-line interface to see all available options and their descriptions. ```bash electronegativity -h ``` -------------------------------- ### Enable Sandbox via Command Line Source: https://github.com/doyensec/electronegativity/wiki/SANDBOX_JS_CHECK Launch your Electron application with the '--enable-sandbox' command-line argument to enforce sandboxing for all BrowserWindow instances. Note that this must be done at startup. ```bash $ electron --enable-sandbox app.js ``` -------------------------------- ### Run all tests Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Execute the full test suite using the npm test script. ```js $ npm run test ``` -------------------------------- ### Exploiting openExternal with untrusted input Source: https://github.com/doyensec/electronegativity/wiki/OPEN_EXTERNAL_JS_CHECK Demonstrates how openExternal can be used to launch local applications like the Calculator app. ```javascript const { shell } = require('electron') shell.openExternal('file:///Applications/Calculator.app') ``` -------------------------------- ### Display Runtime Versions in Electron Source: https://github.com/doyensec/electronegativity/blob/master/test/checks/AtomicChecks/CSP_HTML_CHECK_1_0.html This snippet shows how to write the versions of Node.js, Chromium, and Electron to the document. It also demonstrates how to require other local JavaScript files to run within the same process. ```javascript document.write(process.versions.node), Chromium document.write(process.versions.chrome), and Electron document.write(process.versions.electron). // You can also require other files to run in this process require('./renderer.js') ``` -------------------------------- ### Clone the wiki repository Source: https://github.com/doyensec/electronegativity/blob/master/docs/resources/DOCUMENTATION.md Retrieve the project wiki content from GitHub. ```sh git clone https://github.com/doyensec/electronegativity.wiki.git ``` -------------------------------- ### Configure Context Isolation Security Source: https://context7.com/doyensec/electronegativity/llms.txt Demonstrates how to properly enable context isolation to prevent prototype pollution. ```javascript // INSECURE: contextIsolation disabled const win = new BrowserWindow({ webPreferences: { contextIsolation: false // FLAGGED: HIGH severity } }); // INSECURE: contextIsolation not specified (false before Electron 12) const win = new BrowserWindow({ webPreferences: { nodeIntegration: false // contextIsolation missing - FLAGGED } }); // SECURE: contextIsolation explicitly enabled const secureWin = new BrowserWindow({ webPreferences: { contextIsolation: true, // Isolates preload scripts nodeIntegration: false } }); ``` -------------------------------- ### Configure Electron Security Warnings in package.json Source: https://github.com/doyensec/electronegativity/wiki/SECURITY_WARNINGS_DISABLED_JSON_CHECK Shows how to disable security warnings by setting the ELECTRON_DISABLE_SECURITY_WARNINGS environment variable within the scripts object. ```JSON { "name": "test-app", "version": "0.0.1", "description": "Here is a test program description", "main": "desktop/src/index.js", "license": "MIT", "scripts": { "build": "../node_modules/.bin/tsc -p .", "start": "yarn run build && cd ../dist && ELECTRON_DISABLE_SECURITY_WARNINGS=true ../desktop/node_modules/.bin/electron .", "postinstall": "install-app-deps" } } ``` -------------------------------- ### Treat Insecure Origins as Secure Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK Use '--unsafely-treat-insecure-origin-as-secure' to designate specific insecure origins as secure. This is intended for testing purposes only and should not be used in production. ```bash --unsafely-treat-insecure-origin-as-secure ``` -------------------------------- ### Integrate Electronegativity with GitHub Actions Source: https://context7.com/doyensec/electronegativity/llms.txt Sets up a GitHub Actions workflow to automatically run Electronegativity scans on code pushes and pull requests. It uses the official 'electronegativity-action' and uploads results in SARIF format. ```yaml # .github/workflows/security.yml name: Electron Security Scan on: push: branches: [main, develop] pull_request: branches: [main] jobs: security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run Electronegativity uses: aspect/electronegativity-action@v1 with: input: ./src output: electronegativity-results.sarif - name: Upload SARIF results uses: github/codeql-action/upload-sarif@v2 with: sarif_file: electronegativity-results.sarif ``` -------------------------------- ### Execute Electronegativity via CLI Source: https://context7.com/doyensec/electronegativity/llms.txt Common command-line operations for scanning Electron applications, including filtering by severity, confidence, and specific security checks. ```bash # Install globally via npm npm install @doyensec/electronegativity -g # Basic scan of an Electron application directory electronegativity -i /path/to/electron/app # Scan an ASAR archive and save results to CSV electronegativity -i /path/to/app.asar -o results.csv # Scan with SARIF output format for CI/CD integration electronegativity -i /path/to/electron/app -o results.sarif # Run only specific checks electronegativity -i /path/to/app -l CSPGlobalCheck,NodeIntegrationJSCheck # Exclude specific checks from scan electronegativity -i /path/to/app -x DangerousFunctionsJSCheck # Filter by severity (only HIGH and above) electronegativity -i /path/to/app -s high # Filter by confidence level electronegativity -i /path/to/app -c certain # Show relative paths in output electronegativity -i /path/to/app -r # Check for breaking changes when upgrading Electron versions electronegativity -i /path/to/app -u 7..8 # Override detected Electron version electronegativity -i /path/to/app -e 12.0.0 # Add additional parser plugins for modern syntax electronegativity -i /path/to/app -p optionalChaining,nullishCoalescingOperator ``` -------------------------------- ### Configure VS Code Debugging Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Launch configuration for debugging Electronegativity within Visual Studio Code. ```json { "version": "0.2.0", "configurations": [ { "type": "node", "request": "launch", "name": "Launch Program", "program": "${workspaceFolder}/dist/index.js", "args": ["-i","${workspaceFolder}/test/checks/"] } ] } ``` -------------------------------- ### Disable Sandbox for Non-SFI NaCl Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK Use '--nacl-dangerous-no-sandbox-nonsfi' to disable the sandbox even for non-SFI NaCl mode. This is particularly unsafe as non-SFI NaCl relies heavily on the seccomp sandbox. ```bash --nacl-dangerous-no-sandbox-nonsfi ``` -------------------------------- ### Audit Electron command line arguments and switches Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JS_CHECK Use this pattern to review how command line arguments and switches are appended to the Electron application process. ```javascript const { app } = require('electron') app.commandLine.appendArgument('debug') app.commandLine.appendSwitch('proxy-server', '8080') ``` -------------------------------- ### Set Content Security Policy (CSP) via JavaScript Source: https://context7.com/doyensec/electronegativity/llms.txt Demonstrates setting a Content Security Policy header dynamically using JavaScript within a webRequest listener. This method is also analyzed by CSP_GLOBAL_CHECK. ```javascript // CSP can also be set via JavaScript session.defaultSession.webRequest.onHeadersReceived((details, callback) => { callback({ responseHeaders: { ...details.responseHeaders, 'Content-Security-Policy': ["default-src 'self'"] // Analyzed by CSP_GLOBAL_CHECK } }); }); ``` -------------------------------- ### Enable Sandbox in BrowserWindow Source: https://github.com/doyensec/electronegativity/wiki/SANDBOX_JS_CHECK Configure a BrowserWindow instance to use the sandbox by setting the 'sandbox' property to true within webPreferences. This is recommended for loading untrusted content. ```javascript mainWindow = new BrowserWindow({ "webPreferences": { "sandbox": true } }); ``` -------------------------------- ### Run Electronegativity Scan Source: https://github.com/doyensec/electronegativity/wiki/Home Invoke Electronegativity from the command line to scan a target. The target can be a source code directory, a JavaScript file, an HTML file, or an ASAR package. Wildcards are supported. ```sh $ electronegativity -i [TARGET] ``` -------------------------------- ### JavaScript BrowserWindow with Shared Affinity Source: https://github.com/doyensec/electronegativity/wiki/AFFINITY_GLOBAL_CHECK Demonstrates creating two BrowserWindow instances with the same `affinity` value but different `webPreferences`. This highlights the risk of shared `webPreferences` and the need for consistency. ```javascript firstWin = new BrowserWindow({ width: 800, height: 600, webPreferences: { nodeIntegration: true, affinity: "secPrefs" } }) secondWin = new BrowserWindow({ width: 800, height: 600, webPreferences: { nodeIntegration: false, affinity: "secPrefs" } }) ``` -------------------------------- ### Import Certificate with app.importCertificate Source: https://github.com/doyensec/electronegativity/wiki/CERTIFICATE_VERIFY_PROC_JS_CHECK This JavaScript snippet demonstrates the usage of `app.importCertificate`. This function is often associated with custom certificate handling, and its incorrect implementation can lead to security vulnerabilities. ```js import { app } from "electron"; let options, callback; app.importCertificate(options, callback); ``` -------------------------------- ### Disable Sandbox for All Processes Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK Use '--no-sandbox' to disable the sandbox for all process types. This should be avoided in production environments as it significantly reduces security. ```bash --no-sandbox ``` -------------------------------- ### Run Electronegativity programmatically Source: https://github.com/doyensec/electronegativity/blob/master/README.md Execute security scans using the Node.js API with configuration options for input paths, output formats, and specific check filters. ```js const run = require('@doyensec/electronegativity') // or: import run from '@doyensec/electronegativity'; run({ // input (directory, .js, .html, .asar) input: '/path/to/electron/app', // save the results to a file in csv or sarif format (optional) output: '/path/for/output/file', // true to save output as sarif, false to save as csv (optional) isSarif: false, // only run the specified checks (optional) customScan: ['dangerousfunctionsjscheck', 'remotemodulejscheck'], // only return findings with the specified level of severity or above (optional) severitySet: 'high', // only return findings with the specified level of confidence or above (optional) confidenceSet: 'certain', // show relative path for files (optional) isRelative: false, // run Electron upgrade checks, eg -u 7..8 to check upgrade from Electron 7 to 8 (optional) electronUpgrade: '7..8', // assume the set Electron version, overriding the detected one electronVersion: '5.0.0', // use additional parser plugins parserPlugins: ['optionalChaining'] }) .then(result => console.log(result)) .catch(err => console.error(err)); ``` -------------------------------- ### GDB Script for NaCl Debugger Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK The '--nacl-gdb-script' flag provides a GDB script to be passed to the nacl-gdb debugger at startup. ```bash --nacl-gdb-script ``` -------------------------------- ### Check webPreferences for webSecurity: false Source: https://github.com/doyensec/electronegativity/wiki/WEB_SECURITY_JS_CHECK Inspect the BrowserWindow configuration to ensure webSecurity is not set to false. ```js mainWindow = new BrowserWindow({ "webPreferences": { "webSecurity": false } }); ``` -------------------------------- ### Integrate Electronegativity Programmatically Source: https://context7.com/doyensec/electronegativity/llms.txt Use the run function to execute scans within Node.js applications and process the returned issue objects. ```javascript const run = require('@doyensec/electronegativity'); // Full scan with all options run({ // Required: input directory, file, or .asar archive input: '/path/to/electron/app', // Optional: save results to file (csv or sarif) output: '/path/to/output/results.sarif', isSarif: true, // Optional: only run specific checks (lowercase names) customScan: ['nodeintegrationjscheck', 'contextisolationjscheck'], // Optional: filter by severity ('high', 'medium', 'low', 'informational') severitySet: 'medium', // Optional: filter by confidence ('certain', 'firm', 'tentative') confidenceSet: 'firm', // Optional: use relative paths in results isRelative: true, // Optional: check for upgrade breaking changes (e.g., '7..8') electronUpgrade: '11..12', // Optional: override detected Electron version electronVersion: '12.0.0', // Optional: additional babel parser plugins parserPlugins: ['optionalChaining'] }) .then(result => { console.log(`Global checks run: ${result.globalChecks}`); console.log(`Atomic checks run: ${result.atomicChecks}`); console.log(`Parse errors: ${result.errors.length}`); console.log(`Issues found: ${result.issues.length}`); // Process each issue result.issues.forEach(issue => { console.log(`[${issue.severity.name}] ${issue.id}`); console.log(` File: ${issue.file}`); console.log(` Location: ${issue.location.line}:${issue.location.column}`); console.log(` Description: ${issue.description}`); console.log(` Sample: ${issue.sample}`); console.log(` Manual Review: ${issue.manualReview}`); console.log(` Reference: ${issue.shortenedURL}`); }); }) .catch(err => console.error('Scan failed:', err)); ``` -------------------------------- ### Analyze Content Security Policy (CSP) in HTML Source: https://context7.com/doyensec/electronegativity/llms.txt Checks HTML meta tags for Content Security Policy weaknesses, including missing CSP, 'unsafe-inline', and 'unsafe-eval'. Secure configurations use strict directives like 'self'. ```html ``` -------------------------------- ### Implement Custom Security Check in JavaScript Source: https://context7.com/doyensec/electronegativity/llms.txt Use this class structure to define custom security checks. The `match` method analyzes AST nodes for specific patterns, returning an array of findings or null if no issue is detected. Ensure correct `id`, `description`, `type`, and `shortenedURL` are set in the constructor. ```javascript import { sourceTypes } from '../parser/types'; import { severity, confidence } from '../finder/attributes'; export default class CustomSecurityCheck { constructor() { this.id = 'CUSTOM_SECURITY_CHECK'; this.description = 'Description of security issue'; this.type = sourceTypes.JAVASCRIPT; // or HTML, JSON this.shortenedURL = 'https://example.com/docs'; } // For JavaScript checks - receives AST node match(astNode, astHelper, scope, defaults, electronVersion) { // Return null if no match if (astNode.type !== 'CallExpression') return null; // Check for specific pattern if (astNode.callee.name === 'dangerousFunction') { return [{ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.HIGH, confidence: confidence.CERTAIN, manualReview: false }]; } return null; } } ``` -------------------------------- ### Bypass Sandbox with Internal Electron IPC in Preload Source: https://github.com/doyensec/electronegativity/wiki/PRELOAD_JS_CHECK This technique allows Node.js API access from preload scripts by sending synchronous IPC messages to the main process. Requires 'electron' module. ```javascript const { ipcRenderer } = require('electron') app = ipcRenderer.sendSync('ELECTRON_BROWSER_GET_BUILTIN', 'app') ``` -------------------------------- ### Implement a Custom Atomic Check Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Template for creating a new security check class with a match function. ```javascript import { sourceTypes } from '../../parser/types'; import { severity, confidence } from '../../attributes'; export default class MyCustomHTMLCheck { constructor() { this.id = 'MY_CUSTOM_HTML_CHECK'; this.description = `this is a custom check`; this.type = sourceTypes.JAVASCRIPT; } match(cheerioObj, content){ // do magic // either return an object with row and col, or null meaning no issues were identified // also remember to set the following properties in the returned obj: // - "line" of the file where the issue is found // - "column" of the file where the issue is found // - "id" of the issue (i.e. this.id) // - "description" of the issue (i.e. this.description) // - "properties" object (optional) with internal information about the findings, useful in combination with a GlobalCheck // - "severity" level from finder/attributes.js (e.g. severity.MEDIUM) // - "confidence" level from finder/attributes.js (e.g. confidence.TENTATIVE) // - "manualReview" boolean flag to indicate if the finding should be manually reviewed } } ``` -------------------------------- ### Check Electron Version Upgrade Changes Source: https://context7.com/doyensec/electronegativity/llms.txt Uses the 'electronegativity' CLI tool to identify breaking changes and deprecated APIs between specified Electron versions. Useful for managing upgrades and ensuring compatibility. ```bash # Check for breaking changes when upgrading from Electron 7 to 8 electronegativity -i /path/to/app -u 7..8 # Check multiple version jumps electronegativity -i /path/to/app -u 5..12 ``` -------------------------------- ### Reduce Security for Testing Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK The '--reduce-security-for-testing' flag enables more web features over insecure connections. It is designed exclusively for testing environments. ```bash --reduce-security-for-testing ``` -------------------------------- ### Bypass Sandbox with Remote Module in Preload Source: https://github.com/doyensec/electronegativity/wiki/PRELOAD_JS_CHECK Use this method to access Node.js APIs from a preload script even when the sandbox is enabled. Requires 'electron' module. ```javascript app = require('electron').remote.app ``` -------------------------------- ### Audit BrowserWindow for allowRunningInsecureContent Source: https://github.com/doyensec/electronegativity/wiki/INSECURE_CONTENT_JS_CHECK Search for instances where allowRunningInsecureContent is set to true within webPreferences to prevent mixed content vulnerabilities. ```js mainWindow = new BrowserWindow({ "webPreferences": { "allowRunningInsecureContent": true } }); ``` -------------------------------- ### Scan Electron App Directory Source: https://github.com/doyensec/electronegativity/blob/master/README.md Use Electronegativity to scan a directory containing an Electron application for potential security issues. The `-i` flag specifies the input path. ```bash electronegativity -i /path/to/electron/app ``` -------------------------------- ### Enable Node Integration in WebView Source: https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_HTML_CHECK When the `nodeintegration` attribute is present on a webview tag, the guest page will have Node integration enabled. This is generally discouraged for untrusted content. ```xml ``` -------------------------------- ### Audit webview for experimental features Source: https://github.com/doyensec/electronegativity/wiki/EXPERIMENTAL_FEATURES_HTML_CHECK Search for webview tags where experimentalCanvasFeatures or experimentalFeatures are enabled. ```xml ``` -------------------------------- ### Audit for Insecure Content Setting in Webview Source: https://github.com/doyensec/electronegativity/wiki/INSECURE_CONTENT_HTML_CHECK Search for `allowRunningInsecureContent=true` within the `webPreferences` attribute of the `webview` tag to identify potential security risks. This setting should generally be avoided. ```xml ``` -------------------------------- ### Increase Node.js Heap Size for Large Scans Source: https://github.com/doyensec/electronegativity/blob/master/README.md If encountering 'JavaScript heap out of memory' errors, run Electronegativity with an increased Node.js heap size. This command allocates 4096MB of memory for the Node.js process. ```bash node --max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv ``` -------------------------------- ### Network Log Capture Modes Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK The '--net-log-capture-mode' switch controls the granularity of events captured in the network log. Possible values include 'Default', 'IncludeCookiesAndCredentials', and 'IncludeSocketBytes'. ```bash --net-log-capture-mode ``` -------------------------------- ### Limit Navigation with 'will-navigate' Event Source: https://github.com/doyensec/electronegativity/wiki/LIMIT_NAVIGATION_JS_CHECK Implement this snippet to prevent navigation to URLs other than a specified origin. Ensure the `win.webContents.getURL()` check is correctly configured for your application's allowed origins. ```javascript win.webContents.on('will-navigate', (event, newURL) => { if (win.webContents.getURL() !== 'https://doyensec.com' ) { event.preventDefault(); } }) ``` -------------------------------- ### Scan ASAR Archive and Save Results Source: https://github.com/doyensec/electronegativity/blob/master/README.md Analyze an `asar` archive with Electronegativity and save the findings to a CSV file. The `-o` flag specifies the output file name. ```bash electronegativity -i /path/to/asar/archive -o result.csv ``` -------------------------------- ### Export results to CSV Source: https://github.com/doyensec/electronegativity/wiki/Home Generates a comma-separated file containing issue details alongside standard terminal output. ```sh $ electronegativity -i [TARGET] -o output.csv ``` -------------------------------- ### Export results to SARIF Source: https://github.com/doyensec/electronegativity/wiki/Home Generates a JSON-based SARIF file following the standard schema for static analysis results. ```sh $ electronegativity -i [TARGET] -o output.sarif ``` -------------------------------- ### Atomic check test file naming convention Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Files for atomic checks must follow the format __.. ```text NODE_INTEGRATION_JS_CHECK_1_0.js ``` -------------------------------- ### Global check directory structure Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Global check tests are organized into directories within test/checks/GlobalChecks/ following the atomic naming convention. ```text test checks GlobalChecks CSP_GLOBAL_CHECK_1_0 index.html main.js renderer.js CSP_GLOBAL_CHECK_1_1 index.html main.js renderer.js ``` -------------------------------- ### Audit experimentalCanvasFeatures in BrowserWindow Source: https://github.com/doyensec/electronegativity/wiki/EXPERIMENTAL_FEATURES_JS_CHECK Search for this configuration in webPreferences to identify enabled experimental canvas features. ```js mainWindow = new BrowserWindow({ "webPreferences": { "experimentalCanvasFeatures": true } }); ``` -------------------------------- ### Detect Unsafe shell.openExternal Usage in JavaScript Source: https://context7.com/doyensec/electronegativity/llms.txt Identifies potentially unsafe usage of shell.openExternal with dynamic or user-controlled URLs. Manual review is required for flagged instances. Safe usage involves constant URLs or validated protocols. ```javascript const { shell } = require('electron'); // FLAGGED: openExternal with dynamic URL (user-controlled) const userUrl = getUrlFromUser(); shell.openExternal(userUrl); // OPEN_EXTERNAL_JS_CHECK - manual review required // FLAGGED: openExternal from event handler with dynamic source ipcMain.on('open-link', (event, url) => { shell.openExternal(url); // FLAGGED: url is user-supplied }); // SAFE: openExternal with constant URL shell.openExternal('https://example.com'); // Not flagged // RECOMMENDED: Validate URLs before opening const allowedProtocols = ['https:', 'mailto:']; function safeOpenExternal(url) { try { const parsed = new URL(url); if (allowedProtocols.includes(parsed.protocol)) { shell.openExternal(url); } } catch (e) { console.error('Invalid URL'); } } ``` -------------------------------- ### Inspect scan result structure Source: https://github.com/doyensec/electronegativity/blob/master/README.md The programmatic run returns an object containing check counts, parsing errors, and a list of identified security issues. ```js { globalChecks: 6, atomicChecks: 36, errors: [ { file: 'ts/main/main.ts', sample: 'shell.openExternal(url);', location: { line: 328, column: 4 }, id: 'OPEN_EXTERNAL_JS_CHECK', description: 'Review the use of openExternal', properties: undefined, severity: { value: 2, name: 'MEDIUM', format: [Function: format] }, confidence: { value: 0, name: 'TENTATIVE', format: [Function: format] }, manualReview: true, shortenedURL: 'https://git.io/JeuMC' }, { file: 'ts/main/main.ts', sample: 'const popup = new BrowserWindow(options);', location: { line: 340, column: 18 }, id: 'CONTEXT_ISOLATION_JS_CHECK', description: 'Review the use of the contextIsolation option', properties: undefined, severity: { value: 3, name: 'HIGH', format: [Function: format] }, confidence: { value: 1, name: 'FIRM', format: [Function: format] }, manualReview: false, shortenedURL: 'https://git.io/Jeu1p' } ] } ``` -------------------------------- ### Disable Certificate Verification with setCertificateVerifyProc Source: https://github.com/doyensec/electronegativity/wiki/CERTIFICATE_VERIFY_PROC_JS_CHECK This JavaScript code snippet shows how to use `setCertificateVerifyProc` to disable certificate verification for specific hostnames. Use with caution as it bypasses security checks. ```js win.webContents.session.setCertificateVerifyProc((request, callback) => { const { hostname } = request; if (hostname === 'doyensec.com') { callback(0) //success and disables certificate verification } else { callback(-3) //use the verification result from chromium } }) ``` -------------------------------- ### Disable Electron Security Warnings via win.webContents Source: https://github.com/doyensec/electronegativity/wiki/SECURITY_WARNINGS_DISABLED_JS_CHECK Modify the win.webContents object to disable security warnings by setting the ELECTRON_DISABLE_SECURITY_WARNINGS property to true. This method targets the web contents of a specific window. ```javascript win.webContents["ELECTRON_DISABLE_SECURITY_WARNINGS"] = true; ``` -------------------------------- ### Audit webview for allowpopups attribute Source: https://github.com/doyensec/electronegativity/wiki/ALLOWPOPUPS_HTML_CHECK Identify instances where the allowpopups attribute is enabled in webview tags. ```xml ``` -------------------------------- ### Detecting Insecure certificate-error Handling Source: https://github.com/doyensec/electronegativity/wiki/CERTIFICATE_ERROR_EVENT_JS_CHECK Identifies code blocks that manually override certificate validation errors by calling the callback with true. ```javascript app.on('certificate-error', (event, webContents, url, error, certificate, callback) => { //error in cert if (url === 'https://doyensec.com') { callback(true) //its okay, go ahead anyway } else { callback(false) } }) ``` -------------------------------- ### Disable Electron Security Warnings via process.env Source: https://github.com/doyensec/electronegativity/wiki/SECURITY_WARNINGS_DISABLED_JS_CHECK Set the ELECTRON_DISABLE_SECURITY_WARNINGS environment variable to true to disable security warnings. This is a common method for developers to suppress these messages. ```javascript process.env["ELECTRON_DISABLE_SECURITY_WARNINGS"] = true; ``` -------------------------------- ### Suppress Security Checks with Inline Comments Source: https://context7.com/doyensec/electronegativity/llms.txt Demonstrates how to disable specific security checks for lines or entire files using inline comments in JavaScript and HTML. ```javascript // Disable a single check for one line const res = eval(safeVariable); /* eng-disable DANGEROUS_FUNCTIONS_JS_CHECK */ // Disable multiple checks for one line shell.openExternal(eval(safeVar)); /* eng-disable OPEN_EXTERNAL_JS_CHECK DANGEROUS_FUNCTIONS_JS_CHECK */ // Disable check for entire file (place at top before any code) /* eng-disable CONTEXT_ISOLATION_JS_CHECK */ const { BrowserWindow } = require('electron'); // ... rest of file ``` ```html ``` -------------------------------- ### Check Electron Upgrade Breaking Changes Source: https://github.com/doyensec/electronegativity/blob/master/README.md Use Electronegativity to identify breaking changes when upgrading an Electron application from one version to another. The `-u` flag specifies the version range. ```bash electronegativity -i /path/to/electron/app -v -u 7..8 ``` -------------------------------- ### Detect Disabled Web Security in BrowserWindow Source: https://context7.com/doyensec/electronegativity/llms.txt Flags instances where web security features are disabled in BrowserWindow, specifically when 'webSecurity' is set to false or 'allowRunningInsecureContent' is enabled. These settings reduce same-origin policy protections. ```javascript // FLAGGED: webSecurity disabled const win = new BrowserWindow({ webPreferences: { webSecurity: false // WEB_SECURITY_JS_CHECK - HIGH severity } }); // FLAGGED: allowRunningInsecureContent enabled const win = new BrowserWindow({ webPreferences: { allowRunningInsecureContent: true // INSECURE_CONTENT_JS_CHECK } }); ``` -------------------------------- ### Identify Dangerous Function Usage Source: https://context7.com/doyensec/electronegativity/llms.txt Highlights patterns that trigger the DANGEROUS_FUNCTIONS_JS_CHECK, such as dynamic code execution. ```javascript // FLAGGED: eval with dynamic input const userInput = getUserInput(); eval(userInput); // DANGEROUS_FUNCTIONS_JS_CHECK // FLAGGED: Function constructor with variables const code = buildDynamicCode(); new Function(code)(); // FLAGGED // FLAGGED: setTimeout/setInterval with string argument setTimeout(dynamicString, 1000); // FLAGGED // FLAGGED: executeJavaScript with non-constant argument const script = getScript(); webContents.executeJavaScript(script); // FLAGGED // FLAGGED: insertCSS with dynamic content const css = buildCSS(userTheme); webContents.insertCSS(css); // FLAGGED // SAFE: Constant string arguments are not flagged eval('console.log("static")'); // Not flagged webContents.executeJavaScript('window.init()'); // Not flagged ``` -------------------------------- ### Identify blinkfeatures in webview tags Source: https://github.com/doyensec/electronegativity/wiki/BLINK_FEATURES_HTML_CHECK Search for the blinkfeatures attribute within webview tags to detect enabled experimental Chromium features. ```xml ``` -------------------------------- ### Prevent Navigation to Untrusted Origins in Electron Source: https://github.com/doyensec/electronegativity/wiki/AUXCLICK_HTML_CHECK Use the `will-navigate` event on `webContents` to intercept and prevent navigation to URLs other than the trusted origin. Ensure the `BrowserWindow` or webview guest page cannot initiate new navigation flows to untrusted origins. ```javascript win.webContents.on('will-navigate', (event, newURL) => { if (win.webContents.getURL() !== 'https://doyensec.com') { event.preventDefault(); } }) ``` -------------------------------- ### Disable Electron Security Warnings via window object Source: https://github.com/doyensec/electronegativity/wiki/SECURITY_WARNINGS_DISABLED_JS_CHECK Set the ELECTRON_DISABLE_SECURITY_WARNINGS property directly on the window object to true. This is another way to programmatically disable security warnings within an Electron application. ```javascript window.ELECTRON_DISABLE_SECURITY_WARNINGS = true; ``` -------------------------------- ### Disable Web Security Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK The '--disable-web-security' flag is used in package.json scripts to bypass standard web security measures. This is highly discouraged for production applications. ```javascript "scripts": { "run": "node dist/index.js --disable-web-security" } ``` -------------------------------- ### Detect Disabled Web Security in webview Source: https://context7.com/doyensec/electronegativity/llms.txt Identifies security risks in webview tags where 'disablewebsecurity' attribute is present or 'allowRunningInsecureContent' is enabled. These configurations bypass standard web security measures. ```html ``` -------------------------------- ### Detecting disablewebsecurity in webview Source: https://github.com/doyensec/electronegativity/wiki/WEB_SECURITY_HTML_CHECK Identify the use of the disablewebsecurity attribute within a webview tag. ```html ```