### Install dependencies
Source: https://github.com/doyensec/electronegativity/blob/master/docs/resources/DOCUMENTATION.md
Install the required conversion tools via npm and apt. Ensure the wkhtmltopdf version is sufficient for rendering.
```sh
sudo npm install -g github-wikito-converter
sudo apt-get install wkhtmltopdf
```
--------------------------------
### Install Electronegativity
Source: https://github.com/doyensec/electronegativity/blob/master/README.md
Install the Electronegativity tool globally using NPM. This command makes the `electronegativity` CLI available on your system.
```bash
npm install @doyensec/electronegativity -g
```
--------------------------------
### Install Electronegativity Globally
Source: https://github.com/doyensec/electronegativity/wiki/Home
Install the Electronegativity tool globally using NPM. This makes the command-line interface available system-wide.
```sh
$ npm install @doyensec/electronegativity -g
```
--------------------------------
### Build and Run Electronegativity
Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md
Commands to install dependencies, build the project, and display help information.
```bash
$ npm ci # So we have a deterministic, repeatable build
$ npm run build
$ node dist/index.js -h
```
--------------------------------
### Enable Node Integration in BrowserWindow
Source: https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_JS_CHECK
This example shows how `nodeIntegration` is enabled by default or explicitly set to true. Ensure this is disabled for untrusted origins.
```javascript
mainWindow = new BrowserWindow({
"webPreferences": {
"nodeIntegration": true,
"nodeIntegrationInWorker": 1
}
});
```
```javascript
const mainWindow = new BrowserWindow();
```
--------------------------------
### Identify insecure webview source
Source: https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_HTML_CHECK
Example of an insecure webview tag loading content over HTTP.
```xml
User Manual - March 2019
" --logo-img ./img/logo.svg --footer "Electronegativity © 2017-2019 Doyensec LLC" --toc ../../electronegativity.wiki/Home.md --css ./electronegativitywiki.css --pdf-page-count ../../electronegativity.wiki/ ``` -------------------------------- ### Electronegativity CLI Help Source: https://github.com/doyensec/electronegativity/blob/master/README.md Display the help information for the Electronegativity command-line interface to see all available options and their descriptions. ```bash electronegativity -h ``` -------------------------------- ### Enable Sandbox via Command Line Source: https://github.com/doyensec/electronegativity/wiki/SANDBOX_JS_CHECK Launch your Electron application with the '--enable-sandbox' command-line argument to enforce sandboxing for all BrowserWindow instances. Note that this must be done at startup. ```bash $ electron --enable-sandbox app.js ``` -------------------------------- ### Run all tests Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Execute the full test suite using the npm test script. ```js $ npm run test ``` -------------------------------- ### Exploiting openExternal with untrusted input Source: https://github.com/doyensec/electronegativity/wiki/OPEN_EXTERNAL_JS_CHECK Demonstrates how openExternal can be used to launch local applications like the Calculator app. ```javascript const { shell } = require('electron') shell.openExternal('file:///Applications/Calculator.app') ``` -------------------------------- ### Display Runtime Versions in Electron Source: https://github.com/doyensec/electronegativity/blob/master/test/checks/AtomicChecks/CSP_HTML_CHECK_1_0.html This snippet shows how to write the versions of Node.js, Chromium, and Electron to the document. It also demonstrates how to require other local JavaScript files to run within the same process. ```javascript document.write(process.versions.node), Chromium document.write(process.versions.chrome), and Electron document.write(process.versions.electron). // You can also require other files to run in this process require('./renderer.js') ``` -------------------------------- ### Clone the wiki repository Source: https://github.com/doyensec/electronegativity/blob/master/docs/resources/DOCUMENTATION.md Retrieve the project wiki content from GitHub. ```sh git clone https://github.com/doyensec/electronegativity.wiki.git ``` -------------------------------- ### Configure Context Isolation Security Source: https://context7.com/doyensec/electronegativity/llms.txt Demonstrates how to properly enable context isolation to prevent prototype pollution. ```javascript // INSECURE: contextIsolation disabled const win = new BrowserWindow({ webPreferences: { contextIsolation: false // FLAGGED: HIGH severity } }); // INSECURE: contextIsolation not specified (false before Electron 12) const win = new BrowserWindow({ webPreferences: { nodeIntegration: false // contextIsolation missing - FLAGGED } }); // SECURE: contextIsolation explicitly enabled const secureWin = new BrowserWindow({ webPreferences: { contextIsolation: true, // Isolates preload scripts nodeIntegration: false } }); ``` -------------------------------- ### Configure Electron Security Warnings in package.json Source: https://github.com/doyensec/electronegativity/wiki/SECURITY_WARNINGS_DISABLED_JSON_CHECK Shows how to disable security warnings by setting the ELECTRON_DISABLE_SECURITY_WARNINGS environment variable within the scripts object. ```JSON { "name": "test-app", "version": "0.0.1", "description": "Here is a test program description", "main": "desktop/src/index.js", "license": "MIT", "scripts": { "build": "../node_modules/.bin/tsc -p .", "start": "yarn run build && cd ../dist && ELECTRON_DISABLE_SECURITY_WARNINGS=true ../desktop/node_modules/.bin/electron .", "postinstall": "install-app-deps" } } ``` -------------------------------- ### Treat Insecure Origins as Secure Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK Use '--unsafely-treat-insecure-origin-as-secure' to designate specific insecure origins as secure. This is intended for testing purposes only and should not be used in production. ```bash --unsafely-treat-insecure-origin-as-secure ``` -------------------------------- ### Integrate Electronegativity with GitHub Actions Source: https://context7.com/doyensec/electronegativity/llms.txt Sets up a GitHub Actions workflow to automatically run Electronegativity scans on code pushes and pull requests. It uses the official 'electronegativity-action' and uploads results in SARIF format. ```yaml # .github/workflows/security.yml name: Electron Security Scan on: push: branches: [main, develop] pull_request: branches: [main] jobs: security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run Electronegativity uses: aspect/electronegativity-action@v1 with: input: ./src output: electronegativity-results.sarif - name: Upload SARIF results uses: github/codeql-action/upload-sarif@v2 with: sarif_file: electronegativity-results.sarif ``` -------------------------------- ### Execute Electronegativity via CLI Source: https://context7.com/doyensec/electronegativity/llms.txt Common command-line operations for scanning Electron applications, including filtering by severity, confidence, and specific security checks. ```bash # Install globally via npm npm install @doyensec/electronegativity -g # Basic scan of an Electron application directory electronegativity -i /path/to/electron/app # Scan an ASAR archive and save results to CSV electronegativity -i /path/to/app.asar -o results.csv # Scan with SARIF output format for CI/CD integration electronegativity -i /path/to/electron/app -o results.sarif # Run only specific checks electronegativity -i /path/to/app -l CSPGlobalCheck,NodeIntegrationJSCheck # Exclude specific checks from scan electronegativity -i /path/to/app -x DangerousFunctionsJSCheck # Filter by severity (only HIGH and above) electronegativity -i /path/to/app -s high # Filter by confidence level electronegativity -i /path/to/app -c certain # Show relative paths in output electronegativity -i /path/to/app -r # Check for breaking changes when upgrading Electron versions electronegativity -i /path/to/app -u 7..8 # Override detected Electron version electronegativity -i /path/to/app -e 12.0.0 # Add additional parser plugins for modern syntax electronegativity -i /path/to/app -p optionalChaining,nullishCoalescingOperator ``` -------------------------------- ### Configure VS Code Debugging Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Launch configuration for debugging Electronegativity within Visual Studio Code. ```json { "version": "0.2.0", "configurations": [ { "type": "node", "request": "launch", "name": "Launch Program", "program": "${workspaceFolder}/dist/index.js", "args": ["-i","${workspaceFolder}/test/checks/"] } ] } ``` -------------------------------- ### Disable Sandbox for Non-SFI NaCl Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK Use '--nacl-dangerous-no-sandbox-nonsfi' to disable the sandbox even for non-SFI NaCl mode. This is particularly unsafe as non-SFI NaCl relies heavily on the seccomp sandbox. ```bash --nacl-dangerous-no-sandbox-nonsfi ``` -------------------------------- ### Audit Electron command line arguments and switches Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JS_CHECK Use this pattern to review how command line arguments and switches are appended to the Electron application process. ```javascript const { app } = require('electron') app.commandLine.appendArgument('debug') app.commandLine.appendSwitch('proxy-server', '8080') ``` -------------------------------- ### Set Content Security Policy (CSP) via JavaScript Source: https://context7.com/doyensec/electronegativity/llms.txt Demonstrates setting a Content Security Policy header dynamically using JavaScript within a webRequest listener. This method is also analyzed by CSP_GLOBAL_CHECK. ```javascript // CSP can also be set via JavaScript session.defaultSession.webRequest.onHeadersReceived((details, callback) => { callback({ responseHeaders: { ...details.responseHeaders, 'Content-Security-Policy': ["default-src 'self'"] // Analyzed by CSP_GLOBAL_CHECK } }); }); ``` -------------------------------- ### Enable Sandbox in BrowserWindow Source: https://github.com/doyensec/electronegativity/wiki/SANDBOX_JS_CHECK Configure a BrowserWindow instance to use the sandbox by setting the 'sandbox' property to true within webPreferences. This is recommended for loading untrusted content. ```javascript mainWindow = new BrowserWindow({ "webPreferences": { "sandbox": true } }); ``` -------------------------------- ### Run Electronegativity Scan Source: https://github.com/doyensec/electronegativity/wiki/Home Invoke Electronegativity from the command line to scan a target. The target can be a source code directory, a JavaScript file, an HTML file, or an ASAR package. Wildcards are supported. ```sh $ electronegativity -i [TARGET] ``` -------------------------------- ### JavaScript BrowserWindow with Shared Affinity Source: https://github.com/doyensec/electronegativity/wiki/AFFINITY_GLOBAL_CHECK Demonstrates creating two BrowserWindow instances with the same `affinity` value but different `webPreferences`. This highlights the risk of shared `webPreferences` and the need for consistency. ```javascript firstWin = new BrowserWindow({ width: 800, height: 600, webPreferences: { nodeIntegration: true, affinity: "secPrefs" } }) secondWin = new BrowserWindow({ width: 800, height: 600, webPreferences: { nodeIntegration: false, affinity: "secPrefs" } }) ``` -------------------------------- ### Import Certificate with app.importCertificate Source: https://github.com/doyensec/electronegativity/wiki/CERTIFICATE_VERIFY_PROC_JS_CHECK This JavaScript snippet demonstrates the usage of `app.importCertificate`. This function is often associated with custom certificate handling, and its incorrect implementation can lead to security vulnerabilities. ```js import { app } from "electron"; let options, callback; app.importCertificate(options, callback); ``` -------------------------------- ### Disable Sandbox for All Processes Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK Use '--no-sandbox' to disable the sandbox for all process types. This should be avoided in production environments as it significantly reduces security. ```bash --no-sandbox ``` -------------------------------- ### Run Electronegativity programmatically Source: https://github.com/doyensec/electronegativity/blob/master/README.md Execute security scans using the Node.js API with configuration options for input paths, output formats, and specific check filters. ```js const run = require('@doyensec/electronegativity') // or: import run from '@doyensec/electronegativity'; run({ // input (directory, .js, .html, .asar) input: '/path/to/electron/app', // save the results to a file in csv or sarif format (optional) output: '/path/for/output/file', // true to save output as sarif, false to save as csv (optional) isSarif: false, // only run the specified checks (optional) customScan: ['dangerousfunctionsjscheck', 'remotemodulejscheck'], // only return findings with the specified level of severity or above (optional) severitySet: 'high', // only return findings with the specified level of confidence or above (optional) confidenceSet: 'certain', // show relative path for files (optional) isRelative: false, // run Electron upgrade checks, eg -u 7..8 to check upgrade from Electron 7 to 8 (optional) electronUpgrade: '7..8', // assume the set Electron version, overriding the detected one electronVersion: '5.0.0', // use additional parser plugins parserPlugins: ['optionalChaining'] }) .then(result => console.log(result)) .catch(err => console.error(err)); ``` -------------------------------- ### GDB Script for NaCl Debugger Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK The '--nacl-gdb-script' flag provides a GDB script to be passed to the nacl-gdb debugger at startup. ```bash --nacl-gdb-script ``` -------------------------------- ### Check webPreferences for webSecurity: false Source: https://github.com/doyensec/electronegativity/wiki/WEB_SECURITY_JS_CHECK Inspect the BrowserWindow configuration to ensure webSecurity is not set to false. ```js mainWindow = new BrowserWindow({ "webPreferences": { "webSecurity": false } }); ``` -------------------------------- ### Integrate Electronegativity Programmatically Source: https://context7.com/doyensec/electronegativity/llms.txt Use the run function to execute scans within Node.js applications and process the returned issue objects. ```javascript const run = require('@doyensec/electronegativity'); // Full scan with all options run({ // Required: input directory, file, or .asar archive input: '/path/to/electron/app', // Optional: save results to file (csv or sarif) output: '/path/to/output/results.sarif', isSarif: true, // Optional: only run specific checks (lowercase names) customScan: ['nodeintegrationjscheck', 'contextisolationjscheck'], // Optional: filter by severity ('high', 'medium', 'low', 'informational') severitySet: 'medium', // Optional: filter by confidence ('certain', 'firm', 'tentative') confidenceSet: 'firm', // Optional: use relative paths in results isRelative: true, // Optional: check for upgrade breaking changes (e.g., '7..8') electronUpgrade: '11..12', // Optional: override detected Electron version electronVersion: '12.0.0', // Optional: additional babel parser plugins parserPlugins: ['optionalChaining'] }) .then(result => { console.log(`Global checks run: ${result.globalChecks}`); console.log(`Atomic checks run: ${result.atomicChecks}`); console.log(`Parse errors: ${result.errors.length}`); console.log(`Issues found: ${result.issues.length}`); // Process each issue result.issues.forEach(issue => { console.log(`[${issue.severity.name}] ${issue.id}`); console.log(` File: ${issue.file}`); console.log(` Location: ${issue.location.line}:${issue.location.column}`); console.log(` Description: ${issue.description}`); console.log(` Sample: ${issue.sample}`); console.log(` Manual Review: ${issue.manualReview}`); console.log(` Reference: ${issue.shortenedURL}`); }); }) .catch(err => console.error('Scan failed:', err)); ``` -------------------------------- ### Analyze Content Security Policy (CSP) in HTML Source: https://context7.com/doyensec/electronegativity/llms.txt Checks HTML meta tags for Content Security Policy weaknesses, including missing CSP, 'unsafe-inline', and 'unsafe-eval'. Secure configurations use strict directives like 'self'. ```html ``` -------------------------------- ### Implement Custom Security Check in JavaScript Source: https://context7.com/doyensec/electronegativity/llms.txt Use this class structure to define custom security checks. The `match` method analyzes AST nodes for specific patterns, returning an array of findings or null if no issue is detected. Ensure correct `id`, `description`, `type`, and `shortenedURL` are set in the constructor. ```javascript import { sourceTypes } from '../parser/types'; import { severity, confidence } from '../finder/attributes'; export default class CustomSecurityCheck { constructor() { this.id = 'CUSTOM_SECURITY_CHECK'; this.description = 'Description of security issue'; this.type = sourceTypes.JAVASCRIPT; // or HTML, JSON this.shortenedURL = 'https://example.com/docs'; } // For JavaScript checks - receives AST node match(astNode, astHelper, scope, defaults, electronVersion) { // Return null if no match if (astNode.type !== 'CallExpression') return null; // Check for specific pattern if (astNode.callee.name === 'dangerousFunction') { return [{ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.HIGH, confidence: confidence.CERTAIN, manualReview: false }]; } return null; } } ``` -------------------------------- ### Bypass Sandbox with Internal Electron IPC in Preload Source: https://github.com/doyensec/electronegativity/wiki/PRELOAD_JS_CHECK This technique allows Node.js API access from preload scripts by sending synchronous IPC messages to the main process. Requires 'electron' module. ```javascript const { ipcRenderer } = require('electron') app = ipcRenderer.sendSync('ELECTRON_BROWSER_GET_BUILTIN', 'app') ``` -------------------------------- ### Implement a Custom Atomic Check Source: https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md Template for creating a new security check class with a match function. ```javascript import { sourceTypes } from '../../parser/types'; import { severity, confidence } from '../../attributes'; export default class MyCustomHTMLCheck { constructor() { this.id = 'MY_CUSTOM_HTML_CHECK'; this.description = `this is a custom check`; this.type = sourceTypes.JAVASCRIPT; } match(cheerioObj, content){ // do magic // either return an object with row and col, or null meaning no issues were identified // also remember to set the following properties in the returned obj: // - "line" of the file where the issue is found // - "column" of the file where the issue is found // - "id" of the issue (i.e. this.id) // - "description" of the issue (i.e. this.description) // - "properties" object (optional) with internal information about the findings, useful in combination with a GlobalCheck // - "severity" level from finder/attributes.js (e.g. severity.MEDIUM) // - "confidence" level from finder/attributes.js (e.g. confidence.TENTATIVE) // - "manualReview" boolean flag to indicate if the finding should be manually reviewed } } ``` -------------------------------- ### Check Electron Version Upgrade Changes Source: https://context7.com/doyensec/electronegativity/llms.txt Uses the 'electronegativity' CLI tool to identify breaking changes and deprecated APIs between specified Electron versions. Useful for managing upgrades and ensuring compatibility. ```bash # Check for breaking changes when upgrading from Electron 7 to 8 electronegativity -i /path/to/app -u 7..8 # Check multiple version jumps electronegativity -i /path/to/app -u 5..12 ``` -------------------------------- ### Reduce Security for Testing Source: https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECK The '--reduce-security-for-testing' flag enables more web features over insecure connections. It is designed exclusively for testing environments. ```bash --reduce-security-for-testing ``` -------------------------------- ### Bypass Sandbox with Remote Module in Preload Source: https://github.com/doyensec/electronegativity/wiki/PRELOAD_JS_CHECK Use this method to access Node.js APIs from a preload script even when the sandbox is enabled. Requires 'electron' module. ```javascript app = require('electron').remote.app ``` -------------------------------- ### Audit BrowserWindow for allowRunningInsecureContent Source: https://github.com/doyensec/electronegativity/wiki/INSECURE_CONTENT_JS_CHECK Search for instances where allowRunningInsecureContent is set to true within webPreferences to prevent mixed content vulnerabilities. ```js mainWindow = new BrowserWindow({ "webPreferences": { "allowRunningInsecureContent": true } }); ``` -------------------------------- ### Scan Electron App Directory Source: https://github.com/doyensec/electronegativity/blob/master/README.md Use Electronegativity to scan a directory containing an Electron application for potential security issues. The `-i` flag specifies the input path. ```bash electronegativity -i /path/to/electron/app ``` -------------------------------- ### Enable Node Integration in WebView Source: https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_HTML_CHECK When the `nodeintegration` attribute is present on a webview tag, the guest page will have Node integration enabled. This is generally discouraged for untrusted content. ```xml