Merge pull request #64 from pavlobu/secure

security patch, update electron to 11.2.1, release v1.0.2
2025-05-19 08:50:17 -07:00 · 2021-01-27 12:43:50 +02:00 · 2021-01-27 12:43:50 +02:00 · 967dd30651
commit 967dd30651
parent 96b4f8e0b8 767d202b58
15 changed files with 108 additions and 93 deletions
--- a/app/client/src/features/PeerConnection/ReceiveEncryptedMessagePayload.d.ts
+++ b/app/client/src/features/PeerConnection/ReceiveEncryptedMessagePayload.d.ts
@ -1,4 +1,5 @@
 interface ReceiveEncryptedMessagePayload {
+  fromSocketID: string;
  payload: string;
  signature: string;
  iv: string;
--- a/app/client/src/features/PeerConnection/peerConnectionHandleSocket.spec.ts
+++ b/app/client/src/features/PeerConnection/peerConnectionHandleSocket.spec.ts
@ -162,19 +162,6 @@ describe('peerConnectionHandleSocket callback', () => {
        expect(peerConnection.UIHandler.setMyDeviceDetails).toBeCalled();
      });

-      it('should call sendEncryptedMessage with ADD_USER type', () => {
-        peerConnectionHandleSocket(peerConnection);
-
-        peerConnection.socket.emit('USER_ENTER', {
-          users: [{ username: 'asdf', publicKey: '1234' }],
-        });
-
-        expect(peerConnection.sendEncryptedMessage).toBeCalledWith({
-          type: 'ADD_USER',
-          payload: expect.anything(),
-        });
-      });
-
      it('should call sendEncryptedMessage with DEVICE_DETAILS type', () => {
        peerConnectionHandleSocket(peerConnection);

--- a/app/client/src/features/PeerConnection/peerConnectionHandleSocket.ts
+++ b/app/client/src/features/PeerConnection/peerConnectionHandleSocket.ts
@ -60,22 +60,10 @@ export default (peerConnection: PeerConnection) => {

      if (!peerConnection.partner) return;

-      // TODO: ADD_USER is actually not used, so will remove this code from host and client, this is no use...
-      peerConnection.sendEncryptedMessage({
-        type: 'ADD_USER',
-        payload: {
-          username: peerConnection.user.username,
-          publicKey: peerConnection.user.publicKey,
-          isOwner: true,
-          id: peerConnection.user.username,
-        },
-      });
-
      peerConnection.sendEncryptedMessage({
        type: 'DEVICE_DETAILS',
        // TODO: add deviceIP in this payload
        payload: {
-          socketID: peerConnection.socket.io.engine.id, // TODO: maybe this socketID can be actually retrieved by host? so there will be no use for client to send it? need to check
          os: peerConnection.myDeviceDetails.myOS,
          deviceType: peerConnection.myDeviceDetails.myDeviceType,
          browser: peerConnection.myDeviceDetails.myBrowser,
--- a/app/features/PeerConnection/ReceiveEncryptedMessagePayload.d.ts
+++ b/app/features/PeerConnection/ReceiveEncryptedMessagePayload.d.ts
@ -1,5 +1,6 @@
 interface ReceiveEncryptedMessagePayload {
  payload: string;
+  fromSocketID: string;
  signature: string;
  iv: string;
  keys: { sessionKey: string; signingKey: string }[];
--- a/app/features/PeerConnection/handleRecieveEncryptedMessage.spec.ts
+++ b/app/features/PeerConnection/handleRecieveEncryptedMessage.spec.ts
@ -39,7 +39,9 @@ const TEST_DEVICE_DETAILS_PAYLOAD = {
  deviceScreenHeight: 480,
 };

-const TEST_DUMMY_ENCRYPTED_MESSAGE_PAYLOAD = ({} as unknown) as ReceiveEncryptedMessagePayload;
+const TEST_DUMMY_ENCRYPTED_MESSAGE_PAYLOAD = ({
+  fromSocketID: '2411',
+} as unknown) as ReceiveEncryptedMessagePayload;

 describe('handleRecieveEncryptedMessage.ts', () => {
  let peerConnection: PeerConnection;
--- a/app/features/PeerConnection/handleRecieveEncryptedMessage.ts
+++ b/app/features/PeerConnection/handleRecieveEncryptedMessage.ts
@ -32,7 +32,7 @@ export default async function handleRecieveEncryptedMessage(
  if (message.type === 'DEVICE_DETAILS') {
    peerConnection.socket.emit(
      'GET_IP_BY_SOCKET_ID',
-      message.payload.socketID,
+      payload.fromSocketID,
      (deviceIP: string) => {
        // TODO: need to add myIP in client message.payload.myIP, then if retrieved deviceIP and myIP from client don't match, we were spoofed, then we can interrupt connection immediately!
        handleDeviceIPMessage(deviceIP, peerConnection, message);
--- a/app/features/PeerConnection/handleSocketUserEnter.spec.ts
+++ b/app/features/PeerConnection/handleSocketUserEnter.spec.ts
@ -81,25 +81,6 @@ describe('handleSocketUserEnter callback', () => {
      expect(peerConnection.partner).toBe(TEST_PARTNER_USER);
    });

-    it('should set .sendEncryptedMessage with proper payload as it is an owner of room', () => {
-      const TEST_SEND_MESSAGE_PAYLOAD = {
-        type: 'ADD_USER',
-        payload: {
-          username: peerConnection.user.username,
-          publicKey: peerConnection.user.publicKey,
-          isOwner: true,
-          id: peerConnection.user.username,
-        },
-      };
-      peerConnection.sendEncryptedMessage = jest.fn();
-
-      handleSocketUserEnter(peerConnection, TEST_PAYLOAD);
-
-      expect(peerConnection.sendEncryptedMessage).toBeCalledWith(
-        TEST_SEND_MESSAGE_PAYLOAD
-      );
-    });
-
    it('should call toggleLockRoom with true', () => {
      peerConnection.toggleLockRoom = jest.fn();

--- a/app/features/PeerConnection/handleSocketUserEnter.ts
+++ b/app/features/PeerConnection/handleSocketUserEnter.ts
@ -10,17 +10,6 @@ export default (

  [peerConnection.partner] = filteredPartner;

-  // TODO: ADD_USER is actually not used, so will remove this code from host and client, this is no use...
-  peerConnection.sendEncryptedMessage({
-    type: 'ADD_USER',
-    payload: {
-      username: peerConnection.user.username,
-      publicKey: peerConnection.user.publicKey,
-      isOwner: true,
-      id: peerConnection.user.username,
-    },
-  });
-
  if (peerConnection.partner.publicKey !== '') {
    // peerConnection.socket.emit('TOGGLE_LOCK_ROOM', null, () => {});
    // peerConnection.isSocketRoomLocked = true;
--- a/app/package-lock.json
+++ b/app/package-lock.json
@ -1,5 +1,5 @@
 {
  "name": "Deskreen",
-  "version": "1.0.1",
+  "version": "1.0.2",
  "lockfileVersion": 1
 }
--- a/app/package.json
+++ b/app/package.json
@ -1,8 +1,8 @@
 {
  "name": "deskreen",
  "productName": "Deskreen",
-  "version": "1.0.1",
-  "description": "Deskreen makes any device a second screen for your computer",
+  "version": "1.0.2",
+  "description": "Deskreen turns any device into a second screen for your computer",
  "main": "./main.prod.js",
  "author": {
    "name": "Pavlo (Paul) Buidenkov",
--- a/app/server/darkwireSocket.spec.ts
+++ b/app/server/darkwireSocket.spec.ts
@ -393,22 +393,50 @@ describe('DarkwireSocket tests', () => {
      });

      describe('when socket.on("GET_IP_BY_SOCKET_ID" callback occured', () => {
-        it('should call acknowledgeFunction with proper ip', () => {
-          const testIP = '123.231.121.111';
-          // @ts-ignore
-          socketsIPService.getSocketIPByID.mockImplementationOnce(() => testIP);
-          const darkwireSocket = new DarkwireSocket(
-            makeTestDarkwireSocketOPTS()
-          );
-          darkwireSocket.handleSocket();
-          const getMyIpBySocketIdCallback =
+        describe('when it was called by localhost(127.0.0.1) socket IP', () => {
+          it('should call acknowledgeFunction with proper ip', () => {
+            const testIP = '123.231.121.111';
            // @ts-ignore
-            darkwireSocket.socket.on.mock.calls[1][1];
-          const acknowledgeFunctionMock = jest.fn();
+            socketsIPService.getSocketIPByID.mockImplementationOnce(
+              () => testIP
+            );
+            const darkwireSocket = new DarkwireSocket(
+              makeTestDarkwireSocketOPTS()
+            );
+            darkwireSocket.socket.request.connection.remoteAddress =
+              '127.0.0.1';
+            darkwireSocket.handleSocket();
+            const getIpBySocketIdCallback =
+              // @ts-ignore
+              darkwireSocket.socket.on.mock.calls[1][1];
+            const acknowledgeFunctionMock = jest.fn();

-          getMyIpBySocketIdCallback(undefined, acknowledgeFunctionMock);
+            getIpBySocketIdCallback(undefined, acknowledgeFunctionMock);
+            expect(acknowledgeFunctionMock).toBeCalledWith(testIP);
+          });
+        });

-          expect(acknowledgeFunctionMock).toBeCalledWith(testIP);
+        describe('when it was called by NOT localhost(127.0.0.1) socket IP', () => {
+          it('should NOT call acknowledgeFunction with proper ip', () => {
+            const testIP = '123.231.121.111';
+            // @ts-ignore
+            socketsIPService.getSocketIPByID.mockImplementationOnce(
+              () => testIP
+            );
+            const darkwireSocket = new DarkwireSocket(
+              makeTestDarkwireSocketOPTS()
+            );
+            darkwireSocket.socket.request.connection.remoteAddress =
+              '192.168.45.123';
+            darkwireSocket.handleSocket();
+            const getIpBySocketIdCallback =
+              // @ts-ignore
+              darkwireSocket.socket.on.mock.calls[1][1];
+            const acknowledgeFunctionMock = jest.fn();
+
+            getIpBySocketIdCallback(undefined, acknowledgeFunctionMock);
+            expect(acknowledgeFunctionMock).not.toBeCalledWith(testIP);
+          });
        });
      });

--- a/app/server/darkwireSocket.ts
+++ b/app/server/darkwireSocket.ts
@ -20,6 +20,10 @@ interface SocketOPTS {
  roomIdOriginal: string;
 }

+function isLocalhostSocket(socket: Io.Socket) {
+  return socket.request.connection.remoteAddress.includes(LOCALHOST_SOCKET_IP);
+}
+
 export default class Socket implements SocketOPTS {
  roomId: string;

@ -90,7 +94,9 @@ export default class Socket implements SocketOPTS {
    });

    this.socket.on('GET_IP_BY_SOCKET_ID', (socketID, acknowledgeFunction) => {
-      // TODO: for security only allow localhost to use this socket event! right now it may be emitted by client which may be not secure. The purpose of this event is for host to get the actual IP of connected client socket and compare them with what was sent by client in DEVICE_DETAILS.
+      if (!isLocalhostSocket(this.socket)) {
+        return;
+      }
      acknowledgeFunction(socketsIPService.getSocketIPByID(socketID));
    });

@ -100,6 +106,7 @@ export default class Socket implements SocketOPTS {
    });

    this.socket.on('ENCRYPTED_MESSAGE', (payload) => {
+      payload.fromSocketID = this.socket.id;
      this.socket.to(this.roomId).emit('ENCRYPTED_MESSAGE', payload);
    });

@ -140,9 +147,7 @@ export default class Socket implements SocketOPTS {
          {
            socketId: this.socket.id,
            publicKey: payload.publicKey,
-            isOwner: this.socket.request.connection.remoteAddress.includes(
-              LOCALHOST_SOCKET_IP
-            ),
+            isOwner: isLocalhostSocket(this.socket),
            ip: payload.ip ? payload.ip : '', // TODO: remove as it is not used
          },
        ],
--- a/app/utils/ProcessedMessage.d.ts
+++ b/app/utils/ProcessedMessage.d.ts
@ -8,7 +8,6 @@ type CallAcceptedMessageWithPayload = {
 type DeviceDetailsMessageWithPayload = {
  type: 'DEVICE_DETAILS';
  payload: {
-    socketID: string;
    deviceType: string;
    os: string;
    browser: string;
--- a/package.json
+++ b/package.json
@ -1,8 +1,8 @@
 {
  "name": "deskreen",
  "productName": "Deskreen",
-  "version": "1.0.1",
-  "description": "Deskreen makes any device a second screen for your computer",
+  "version": "1.0.2",
+  "description": "Deskreen turns any device into a second screen for your computer",
  "scripts": {
    "build": "yarn build-client && yarn build-main && yarn build-renderer",
    "build-test": "yarn build-main-test && yarn build-renderer-test && yarn build-client",
@ -327,7 +327,7 @@
    "classnames": "^2.2.6",
    "clsx": "^1.1.1",
    "connected-react-router": "^6.6.1",
-    "electron": "^10.1.5",
+    "electron": "^11.2.1",
    "electron-debug": "^3.1.0",
    "electron-log": "^4.2.2",
    "electron-settings": "^4.0.2",
@ -376,7 +376,7 @@
    "yarn": ">=0.21.3"
  },
  "collective": {
-    "url": "TODO: add collective page"
+    "url": "https://opencollective.com/deskreen"
  },
  "browserslist": [],
  "prettier": {
--- a/yarn.lock
+++ b/yarn.lock
@ -1160,16 +1160,17 @@
    ajv-keywords "^3.4.1"

 "@electron/get@^1.0.1":
-  version "1.12.2"
-  resolved "https://registry.npmjs.org/@electron/get/-/get-1.12.2.tgz#6442066afb99be08cefb9a281e4b4692b33764f3"
-  integrity sha512-vAuHUbfvBQpYTJ5wB7uVIDq5c/Ry0fiTBMs7lnEYAo/qXXppIVcWdfBr57u6eRnKdVso7KSiH6p/LbQAG6Izrg==
+  version "1.12.3"
+  resolved "https://registry.npmjs.org/@electron/get/-/get-1.12.3.tgz#fa2723385c4b565a34c4c82f46087aa2a5fbf6d0"
+  integrity sha512-NFwSnVZQK7dhOYF1NQCt+HGqgL1aNdj0LUSx75uCqnZJqyiWCVdAMFV4b4/kC8HjUJAnsvdSEmjEt4G2qNQ9+Q==
  dependencies:
    debug "^4.1.1"
    env-paths "^2.2.0"
+    filenamify "^4.1.0"
    fs-extra "^8.1.0"
    got "^9.6.0"
    progress "^2.0.3"
-    sanitize-filename "^1.6.2"
+    semver "^6.2.0"
    sumchecker "^3.0.1"
  optionalDependencies:
    global-agent "^2.0.2"
@ -2019,7 +2020,7 @@
  resolved "https://registry.npmjs.org/@types/node/-/node-14.14.16.tgz#3cc351f8d48101deadfed4c9e4f116048d437b4b"
  integrity sha512-naXYePhweTi+BMv11TgioE2/FXU4fSl29HAH1ffxVciNsH3rYXjNP2yM8wqmSm7jS20gM8TIklKiTen+1iVncw==

-"@types/node@12", "@types/node@^12.0.12":
+"@types/node@12":
  version "12.19.11"
  resolved "https://registry.npmjs.org/@types/node/-/node-12.19.11.tgz#9220ab4b20d91169eb78f456dbfcbabee89dfb50"
  integrity sha512-bwVfNTFZOrGXyiQ6t4B9sZerMSShWNsGRw8tC5DY1qImUNczS9SjT4G6PnzjCnxsu5Ubj6xjL2lgwddkxtQl5w==
@ -2029,6 +2030,11 @@
  resolved "https://registry.npmjs.org/@types/node/-/node-10.17.50.tgz#7a20902af591282aa9176baefc37d4372131c32d"
  integrity sha512-vwX+/ija9xKc/z9VqMCdbf4WYcMTGsI0I/L/6shIF3qXURxZOhPQlPRHtjTpiNhAwn0paMJzlOQqw6mAGEQnTA==

+"@types/node@^12.0.12":
+  version "12.19.15"
+  resolved "https://registry.npmjs.org/@types/node/-/node-12.19.15.tgz#0de7e978fb43db62da369db18ea088a63673c182"
+  integrity sha512-lowukE3GUI+VSYSu6VcBXl14d61Rp5hA1D+61r16qnwC0lYNSqdxcvRh0pswejorHfS+HgwBasM8jLXz0/aOsw==
+
 "@types/normalize-package-data@^2.4.0":
  version "2.4.0"
  resolved "https://registry.npmjs.org/@types/normalize-package-data/-/normalize-package-data-2.4.0.tgz#e486d0d97396d79beedd0a6e33f4534ff6b4973e"
@ -5501,10 +5507,10 @@ electron-updater@^4.3.1:
    lodash.isequal "^4.5.0"
    semver "^7.3.2"

-electron@^10.1.5:
-  version "10.2.0"
-  resolved "https://registry.npmjs.org/electron/-/electron-10.2.0.tgz#4b00f0907b28aca4b93661bb53ce9a4f8ad32201"
-  integrity sha512-GBUyq8dwUqXPkCTkoID+eZ5Pm9GFlLUd2eSoGe8UOaHeW68SgCf5t75/uGHraQ1OIz/0qniyH5M4ebWEHGppyQ==
+electron@^11.2.1:
+  version "11.2.1"
+  resolved "https://registry.npmjs.org/electron/-/electron-11.2.1.tgz#8641dd1a62911a1144e0c73c34fd9f37ccc65c2b"
+  integrity sha512-Im1y29Bnil+Nzs+FCTq01J1OtLbs+2ZGLLllaqX/9n5GgpdtDmZhS/++JHBsYZ+4+0n7asO+JKQgJD+CqPClzg==
  dependencies:
    "@electron/get" "^1.0.1"
    "@types/node" "^12.0.12"
@ -5831,7 +5837,7 @@ escape-html@^1.0.3, escape-html@~1.0.3:
  resolved "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988"
  integrity sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=

-escape-string-regexp@^1.0.5:
+escape-string-regexp@^1.0.2, escape-string-regexp@^1.0.5:
  version "1.0.5"
  resolved "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz#1b61c0562190a8dff6ae3bb2cf0200ca130b86d4"
  integrity sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=
@ -6504,6 +6510,20 @@ filelist@^1.0.1:
  dependencies:
    minimatch "^3.0.4"

+filename-reserved-regex@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.npmjs.org/filename-reserved-regex/-/filename-reserved-regex-2.0.0.tgz#abf73dfab735d045440abfea2d91f389ebbfa229"
+  integrity sha1-q/c9+rc10EVECr/qLZHzieu/oik=
+
+filenamify@^4.1.0:
+  version "4.2.0"
+  resolved "https://registry.npmjs.org/filenamify/-/filenamify-4.2.0.tgz#c99716d676869585b3b5d328b3f06590d032e89f"
+  integrity sha512-pkgE+4p7N1n7QieOopmn3TqJaefjdWXwEkj2XLZJLKfOgcQKkn11ahvGNgTD8mLggexLiDFQxeTs14xVU22XPA==
+  dependencies:
+    filename-reserved-regex "^2.0.0"
+    strip-outer "^1.0.1"
+    trim-repeated "^1.0.0"
+
 filesize@^3.6.1:
  version "3.6.1"
  resolved "https://registry.npmjs.org/filesize/-/filesize-3.6.1.tgz#090bb3ee01b6f801a8a8be99d31710b3422bb317"
@ -12486,7 +12506,7 @@ sane@^4.0.3:
    minimist "^1.1.1"
    walker "~1.0.5"

-sanitize-filename@^1.6.0, sanitize-filename@^1.6.2, sanitize-filename@^1.6.3:
+sanitize-filename@^1.6.0, sanitize-filename@^1.6.3:
  version "1.6.3"
  resolved "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz#755ebd752045931977e30b2025d340d7c9090378"
  integrity sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==
@ -13383,6 +13403,13 @@ strip-json-comments@~2.0.1:
  resolved "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz#3c531942e908c2697c0ec344858c286c7ca0a60a"
  integrity sha1-PFMZQukIwml8DsNEhYwobHygpgo=

+strip-outer@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.npmjs.org/strip-outer/-/strip-outer-1.0.1.tgz#b2fd2abf6604b9d1e6013057195df836b8a9d631"
+  integrity sha512-k55yxKHwaXnpYGsOzg4Vl8+tDrWylxDEpknGjhTiZB8dFRU5rTo9CAzeycivxV3s+zlTKwrs6WxMxR95n26kwg==
+  dependencies:
+    escape-string-regexp "^1.0.2"
+
 style-loader@^1.2.1:
  version "1.3.0"
  resolved "https://registry.npmjs.org/style-loader/-/style-loader-1.3.0.tgz#828b4a3b3b7e7aa5847ce7bae9e874512114249e"
@ -14066,6 +14093,13 @@ trim-newlines@^3.0.0:
  resolved "https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz#79726304a6a898aa8373427298d54c2ee8b1cb30"
  integrity sha512-C4+gOpvmxaSMKuEf9Qc134F1ZuOHVXKRbtEflf4NTtuuJDEIJ9p5PXsalL8SkeRw+qit1Mo+yuvMPAKwWg/1hA==

+trim-repeated@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.npmjs.org/trim-repeated/-/trim-repeated-1.0.0.tgz#e3646a2ea4e891312bf7eace6cfb05380bc01c21"
+  integrity sha1-42RqLqTokTEr9+rObPsFOAvAHCE=
+  dependencies:
+    escape-string-regexp "^1.0.2"
+
 triple-beam@^1.2.0, triple-beam@^1.3.0:
  version "1.3.0"
  resolved "https://registry.npmjs.org/triple-beam/-/triple-beam-1.3.0.tgz#a595214c7298db8339eeeee083e4d10bd8cb8dd9"