Skip to content

fix: electron renderer with nodeintegration enabled and sandbox disabled#478

Open
kumburovicbranko682-boop wants to merge 1 commit into
SuperCmdLabs:mainfrom
kumburovicbranko682-boop:contribai/fix/security/electron-renderer-with-nodeintegration-e
Open

fix: electron renderer with nodeintegration enabled and sandbox disabled#478
kumburovicbranko682-boop wants to merge 1 commit into
SuperCmdLabs:mainfrom
kumburovicbranko682-boop:contribai/fix/security/electron-renderer-with-nodeintegration-e

Conversation

@kumburovicbranko682-boop

Copy link
Copy Markdown

🔒 Security Fix

Problem

The launcher window runs with nodeIntegration: true and sandbox: false as documented in the inline comment.
This means any JavaScript executing in that renderer (including third-party Raycast extensions) has unrestricted
access to Node.js APIs — fs, child_process, crypto, etc. If an extension contains an XSS vulnerability, or if
an attacker compromises a Raycast store extension, they gain full filesystem and process access on the host machine.

Electron's official security documentation explicitly warns against this configuration. The recommended approach
is to use contextBridge + preload scripts to expose only the specific APIs extensions need, rather than
granting blanket Node access.

The SECURITY.md mentions an "Electron Security Architecture" section but does not disclose this risk.

Severity: high
File: vite.config.ts

Solution

Refactor to use Electron's recommended security model:

  1. Set nodeIntegration: false and sandbox: true in the BrowserWindow webPreferences.
  2. Create a preload script that uses contextBridge.exposeInMainWorld() to expose only the specific
    Node APIs required by Raycast extensions (e.g., a controlled require shim or a curated API surface).
  3. Use ipcRenderer/ipcMain for privileged operations, with an allowlist of valid IPC channels.

Example BrowserWindow config:

Changes

  • vite.config.ts (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced


🤖 About this PR

This pull request was generated by ContribAI, an AI agent
that helps improve open source projects. The change was:

  1. Discovered by automated code analysis
  2. Generated by AI with context-aware code generation
  3. Self-reviewed by AI quality checks

If you have questions or feedback about this PR, please comment below.
We appreciate your time reviewing this contribution!

Closes #477

…dbox disabled

The launcher window runs with `nodeIntegration: true` and `sandbox: false` as documented in the inline comment.
This means any JavaScript executing in that renderer (including third-party Raycast extensions) has unrestricted
access to Node.js APIs — fs, child_process, crypto, etc. If an extension contains an XSS vulnerability, or if
an attacker compromises a Raycast store extension, they gain full filesystem and process access on the host machine.

Electron's official security documentation explicitly warns against this configuration. The recommended approach
is to use `contextBridge` + `preload` scripts to expose only the specific APIs extensions need, rather than
granting blanket Node access.

The SECURITY.md mentions an "Electron Security Architecture" section but does not disclose this risk.


Affected files: vite.config.ts

Signed-off-by: kumburovicbranko682-boop <295886834+kumburovicbranko682-boop@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: electron renderer with nodeintegration enabled and sandbox disabled

1 participant