Skip to content

[MEDIUM] Missing origin validation on IPC handlers #108

New issue
New issue
Open
Open
[MEDIUM] Missing origin validation on IPC handlers#108
@Tsukieomie

Description

@Tsukieomie
Tsukieomie
opened on Jan 26, 2026

Security Issue: Incomplete IPC Origin Validation

Severity: MEDIUM
Location: src/main/windows/main.ts (various IPC handlers)

Description

Only auth:* handlers validate sender origin. Other IPC handlers lack origin validation.

Current State

// Auth handlers - properly validated ✓
if (!validateSender(event.senderFrame)) {
  return { success: false, error: "Unauthorized origin" }
}

// Other handlers - no validation ✗
ipcMain.handle("window:open", ...)
ipcMain.handle("clipboard:*", ...)

Risk

  • Window open handlers not origin-validated
  • Clipboard operations not protected
  • Could be exploited if malicious content loads in app

Recommendation

Apply validateSender pattern to all sensitive IPC handlers:

const validateIPC = (event: Electron.IpcMainInvokeEvent) => {
  if (!validateSender(event.senderFrame)) {
    throw new Error("Unauthorized IPC origin")
  }
}

ipcMain.handle("window:open", async (event, url) => {
  validateIPC(event)
  // ... handler logic
})

Handlers to Protect

  • window:* - Window management
  • clipboard:* - Clipboard access
  • file:* - File system operations
  • Any handler that accesses system resources

Labels: security, ipc

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions