如果你在构建 Electron 应用时不警惕,你可能会将应用用户置于切实的数字威胁之中。诸如 XSS(跨站点脚本)和远程代码执行之类的攻击实际上可以让攻击者深入访问你应用中的数据。 - 甚至可能是底层操作系统所必需的。
¥If you are not vigilant when building Electron apps, you will probably be placing the users of your app in tangible digital danger. Things like XSS (Cross Site Scripting) and remote code execution can literally enable attackers to get deep access to the data in your app - and potentially even the underlying operating system.
尤其是在使用 “公开” 时,例如将其作为开源项目,你肯定需要考虑通过代码签名和完整性检查来强化你的应用。(参见 “提示” 部分)
¥Especially when working “in the open”, i.e. as an open-source project, you will definitely want to consider hardening your application with code-signing and integrity checking. (See “Tips” section)
危险
在任何情况下都不应加载和执行远程代码。相反,请仅使用本地文件(与你的应用一起打包)在主线程和/或预加载脚本中执行 Node.js 代码。
¥Under no circumstances should you load and execute remote code. Instead, use only local files (packaged together with your application) to execute Node.js code in your main thread and/or preload script.
清单:安全建议(Checklist: Security Recommendations)
¥Checklist: Security Recommendations
Electron 团队本身提出了以下建议:
¥The Electron team itself makes the following recommendations:
确保将
webPreferences>contextIsolation设置为true。使用 预加载脚本 属性仅向渲染线程注入必需的 API。¥Make sure that you leave
webPreferences>contextIsolationset totrue. Use the preload script to inject only must-have APIs to the renderer thread.如果你必须加载远程内容且无法绕过此限制,那么可以使用 仅加载安全内容。
¥If you must load remote content and cannot work around that, then only load secure content
在加载远程内容的所有会话中使用
ses.setPermissionRequestHandler()¥Use
ses.setPermissionRequestHandler()in all sessions that load remote content
除了上述第 3 项和第 4 项之外,如果检测到其中任何一个问题,Electron 会在开发控制台中发出警告。
¥Except for items 3 and 4 above, Electron will put a warning in the dev console if one of the these issues have been detected.
技巧和窍门(Tips and Tricks)
¥Tips and Tricks
通信协议(Communication Protocols)
¥Communication Protocols
你现在应该知道这一点,但如果你没有使用 https / sftp / wss,那么应用与外界的通信很容易被篡改。无论你在构建什么,请在所有地方使用安全协议。
¥You should know this by now, but if you are not using https / sftp / wss then the app’s communications with the outside world can be very easily tampered with. Whatever you are building, please use a secure protocol everywhere.
文件系统访问(Filesystem Access)
¥Filesystem Access
拥有文件系统的读写权限是渗透测试人员的终极目标,如果你的应用支持这种交互,请考虑使用进程间通信 (IPC) 和多个窗口(具有不同的权限)来最小化攻击面。
¥Having read & write permissions to the filesystem is the holy grail for penetration testers, and if your app enables this type of interaction, consider using IPC and multiple windows (with varying permissions) in order to minimize the attack surface.
加密(Encryption)
¥Encryption
如果你的应用用户拥有诸如钱包地址、个人信息或其他商业机密之类的机密信息,请在静态时对这些信息进行加密,仅在需要时在内存中对其进行解密,并确保在使用完毕后覆盖/销毁内存中的对象。但无论你如何处理,请遵循以下四条规则:
¥If the user of your application has secrets like wallet addresses, personal information or some other kind of trade secrets, keep that information encrypted when at rest, un-encrypt it in-memory only when it is needed and make sure to overwrite / destroy the object in memory when you are done with it. But no matter how you approach this, follow these four rules:
使用强加密(即抗碰撞加密,而非 md5 加密)
¥use strong crypto (i.e. collision resistant and not md5)
不要发明一种新的加密方式
¥do not invent a novel type of encryption
明确遵循实现说明
¥follow the implementation instructions explicitly
考虑用户体验
¥think about the user-experience
在生产环境中禁用开发者工具(Disable developer tools in production)
¥Disable developer tools in production
你可能不希望那些穿着连帽衫的流氓在你的应用控制台中执行类似这样的操作:
¥You probably don’t want rogue hoody-wearing menaces to be executing something like this in the console of your app:
window.location='https://evilsite.com/looks-just-like-your-app'组合键 CTRL+SHIFT+I(在 Mac 上为 ALT+CMD+I)将打开开发工具并启用应用检查。它甚至可以进行一定程度的修改。通过捕获这些按键和 return false 来防止简单的 evil maid 攻击。
¥The key-combination CTRL+SHIFT+I (or ALT+CMD+I on Mac) will open the dev tools and enable inspection of the application. It will even enable some degree of modification. Prevent the simple evil maid attack by catching these keypresses and return false.
发布校验和(Publish checksums)
¥Publish checksums
当你构建了二进制 blob 并希望发布它们(例如在 GitHub 上)时,请使用 shasum 并将这些结果发布到显眼的地方(例如在你项目的 GitHub 发布页面上),也可以发布到公共区块链上,例如 Steem。
¥When you have built your binary blobs and want to publish them e.g. on GitHub, use shasum and post these results somewhere prominent (like on the GitHub release page for your project) and potentially on a public blockchain, such as Steem.
$ shasum -a 256 myApp-v1.0.0_darwin-x64.dmg
40ed03e0fb3c422e554c7e75d41ba71405a4a49d560b1bf92a00ea6f5cbd8daa myApp-v1.0.0_darwin-x64.dmg签署构建(Sign the builds)
¥Sign the builds
虽然代码签名并非共享应用的硬性要求,但最佳实践是 - 并且它是 MacOS 和 Windows 应用商店所必需的。在 Electron 官方教程 上阅读更多相关信息。
¥Although not a hard requirement for sharing your app, signing code is a best practice - and it is required by both the MacOS and Windows stores. Read more about it at this official Electron tutorial.
使用 SNYK(Use SNYK)
¥Use SNYK
Snyk.io 是一个服务、CLI 甚至 GitHub 集成机器人,它通过将 package.json 中的依赖与其受感染模块列表进行比较来跟踪 Node 模块中的漏洞。在许多情况下,他们的服务可以推荐最低更新版本,甚至提供他们自己修补的模块。它们还负责研究和漏洞披露。如果你正在处理压缩文件(zip、tar 等),请查看一些应该会让你大吃一惊的示例,请查看它们的 writeup 和 受影响软件列表。
¥Snyk.io is a service, CLI and even GitHub integration bot that tracks vulnerabilities in node modules by comparing the dependencies in your package.json with its list of compromised modules. In many cases their service can recommend minimum update versions or even provide modules that they themselves have patched. They also undertake research and vulnerability disclosure. For an example of something that should scare the socks off of you if you are doing anything with compressed files (zip, tar, etc.) check out their writeup and list of affected software.
对于真正偏执狂(For the truly paranoid)
¥For the truly paranoid
为每个目标平台使用专用的物理台式机。如果你必须让此设备保持在线,请确保操作系统始终保持更新,禁止任何来自互联网/蓝牙的入站连接(尤其是 Shell/SSH),并持续运行病毒和 rootkit 检查。
¥Use a dedicated physical desktop machine for each platform target. If you have to keep this device online, make sure the OS is always updated, permits zero inbound connections from the internet / bluetooth (especially for shell / ssh) and run constant virus and rootkit checks.
仅允许合并 GPG 签名的提交,并要求至少两名团队成员(未提交 PR)审核并批准提交。
¥Permit only GPG-signed commits to be merged and require at least two team members (who did not make the PR) to review and approve the commit.
重新考虑你的 Node 包管理系统:
¥Reconsider your node package management system:
使用私有 npm 仓库(例如 JFrog)
¥use a private npm registry (like JFrog)
将你的包修复到已知可以正常工作的特定版本
¥fix your packages to specific versions known to work
使用 pnpm
¥use pnpm
审核每个模块及其依赖
¥audit each and every single module and its dependencies
付费获取黑客攻击(Pay to get hacked)
¥Pay to get hacked
可能有人已经入侵了你的项目(或底层库)。如果你使用此应用赚钱,请考虑注册一个 Hacker One 账户并运行持续赏金奖励。至少你可以说服黑客保持道德,不将漏洞出售给你的竞争对手。
¥Somebody smart might have hacked your project (or an underlying library). If you are making money with this app, consider getting a Hacker One account and running a constant bounty award. At least you’ll be able to convince the hacker to be ethical and NOT sell the exploit to your competitor.
获取帮助(Get help)
¥Get help
你可能会感到不知所措,因为 Electron 的强大功能带来了许多你从未想过的麻烦。如果是这种情况,请考虑 联系 并由为你带来 Quasar 框架的经验丰富的开发团队获得专家支持,以审查、审核和强化你的应用。
¥You may feel overwhelmed, because the awesomeness of Electron brings with it a great many headaches that you never wanted to think about. If this is the case, consider reaching out and getting expert support for the review, audit and hardening of your app by the team of seasoned devs that brought you the Quasar Framework.
本页面部分内容摘自官方 Electron 安全指南。
¥Parts of this page have been taken from the official Electron Security Guide.