Summary:
Thank you for designing the Gaucho Desktop Application and making it open source and available. The application is very useful in easing the use of commands during development and it understandably needs to enable preferences like nodeIntegration. We list pointers below that can help make the application more secure.

1. [IPC Messages]: Since the application uses custom IPC and allows navigation to arbitrary sites, it will be helpful to verify the sender of IPC messages before handling and responding to them in IPC Main. It currently associates some IPC calls with e.mainWindow which is great. Adopting a similar approach for other IPC calls will be helpful as well. [Link]
2. [Preventing Navigation and Device Access] While the application does not itself use this functionality, as a precaution, it will be helpful to (a) limit all navigation attempts by adding a listener on will-navigate and a handler on setWindowOpenHandler(); and (b) deny all requests to access the user’s device with setDevicePermissionHandler().
3. [Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js and Chromium which is vulnerable to numerous known V8 and Blink attacks. We observed an existing pull request for the same, which will be great for the app. [Link]

Thank you!

Platform(s) Affected:
Windows, Linux

–
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago