Security patch (Closes #556)

scripts/build.mts

@@ -79,7 +79,7 @@ Promise.all([
     platform: "node",
     target: `node${NODE_VERSION}`,
     outfile: "dist/main.js",
-    external: ["electron"],
+    external: ["electron", "original-fs"],
   }),
   // Preload
   esbuild.build({

src/main/ipc/installer.ts

@@ -9,11 +9,15 @@ import {
 } from "../../types";
 import { Octokit } from "@octokit/rest";
 import { CONFIG_PATH, CONFIG_PATHS } from "../../util.mjs";
-import { readFile, writeFile } from "fs/promises";
+import { readFile } from "fs/promises";
+import { writeFile as originalWriteFile } from "original-fs";
 import fetch from "node-fetch";
-import { join } from "path";
+import { join, resolve, sep } from "path";
 import { AnyAddonManifestOrReplugged, anyAddonOrReplugged } from "src/types/addon";
 import { getSetting } from "./settings";
+import { promisify } from "util";
+
+const writeFile = promisify(originalWriteFile);
 
 const octokit = new Octokit();
 
@@ -170,6 +174,13 @@ ipcMain.handle(
     query.set("type", update ? "update" : "install");
     if (version) query.set("version", version);
 
+    if (type === "replugged") {
+      // Manually set Path and URL for security purposes
+      path = "replugged.asar";
+      const apiUrl = await getSetting("dev.replugged.Settings", "apiUrl", "https://replugged.dev");
+      url = `${apiUrl}/api/v1/store/dev.replugged.Replugged.asar`;
+    }
+
     let res;
     try {
       res = await fetch(`${url}?${query}`);
@@ -191,8 +202,20 @@ ipcMain.handle(
 
     const buf = Buffer.from(file);
 
+    const base = getBaseName(type);
+    const filePath = resolve(base, path);
+    if (!filePath.startsWith(`${base}${sep}`)) {
+      // Ensure file changes are restricted to the base path
+      return {
+        success: false,
+        error: "Invalid path",
+      };
+    }
+
+    console.log(url, filePath);
+
     try {
-      await writeFile(join(getBaseName(type), path), buf);
+      await writeFile(filePath, buf);
     } catch (err) {
       return {
         success: false,

src/main/ipc/plugins.ts

@@ -5,7 +5,7 @@ IPC events:
 */
 
 import { readFile, readdir, readlink, rm, stat } from "fs/promises";
-import { extname, join } from "path";
+import { extname, join, sep } from "path";
 import { ipcMain, shell } from "electron";
 import { RepluggedIpcChannels, type RepluggedPlugin } from "../../types";
 import { plugin } from "../../types/addon";
@@ -19,8 +19,14 @@ export const isFileAPlugin = (f: Dirent | Stats, name: string): boolean => {
 };
 
 async function getPlugin(pluginName: string): Promise<RepluggedPlugin> {
+  const manifestPath = join(PLUGINS_DIR, pluginName, "manifest.json");
+  if (!manifestPath.startsWith(`${PLUGINS_DIR}${sep}`)) {
+    // Ensure file changes are restricted to the base path
+    throw new Error("Invalid plugin name");
+  }
+
   const manifest: unknown = JSON.parse(
-    await readFile(join(PLUGINS_DIR, pluginName, "manifest.json"), {
+    await readFile(manifestPath, {
       encoding: "utf-8",
     }),
   );
@@ -85,7 +91,13 @@ ipcMain.handle(RepluggedIpcChannels.LIST_PLUGINS, async (): Promise<RepluggedPlu
 });
 
 ipcMain.handle(RepluggedIpcChannels.UNINSTALL_PLUGIN, async (_, pluginName: string) => {
-  await rm(join(PLUGINS_DIR, pluginName), {
+  const pluginPath = join(PLUGINS_DIR, pluginName);
+  if (!pluginPath.startsWith(`${PLUGINS_DIR}${sep}`)) {
+    // Ensure file changes are restricted to the base path
+    throw new Error("Invalid plugin name");
+  }
+
+  await rm(pluginPath, {
     recursive: true,
     force: true,
   });

src/main/ipc/settings.ts

@@ -1,5 +1,5 @@
 import { readFile, writeFile } from "fs/promises";
-import { join } from "path";
+import { resolve, sep } from "path";
 import { ipcMain, shell } from "electron";
 import { RepluggedIpcChannels } from "../../types";
 import type {
@@ -11,9 +11,20 @@ import { CONFIG_PATHS } from "src/util.mjs";
 
 const SETTINGS_DIR = CONFIG_PATHS.settings;
 
+export function getSettingsPath(namespace: string): string {
+  const resolved = resolve(SETTINGS_DIR, `${namespace}.json`);
+  console.log(resolved, SETTINGS_DIR, resolved.startsWith(SETTINGS_DIR));
+  if (!resolved.startsWith(`${SETTINGS_DIR}${sep}`)) {
+    // Ensure file changes are restricted to the base path
+    throw new Error("Invalid namespace");
+  }
+  return resolved;
+}
+
 async function readSettings(namespace: string): Promise<Map<string, unknown>> {
+  const path = getSettingsPath(namespace);
   try {
-    const data = await readFile(join(SETTINGS_DIR, `${namespace}.json`), "utf8");
+    const data = await readFile(path, "utf8");
     return new Map(Object.entries(JSON.parse(data)));
   } catch {
     return new Map();
@@ -22,7 +33,7 @@ async function readSettings(namespace: string): Promise<Map<string, unknown>> {
 
 function writeSettings(namespace: string, settings: SettingsMap): Promise<void> {
   return writeFile(
-    join(SETTINGS_DIR, `${namespace}.json`),
+    getSettingsPath(namespace),
     JSON.stringify(Object.fromEntries(settings.entries()), null, 2),
     "utf8",
   );
@@ -54,8 +65,27 @@ export async function writeTransaction<T>(
   handler: SettingsTransactionHandler<T>,
 ): Promise<T> {
   return transaction(namespace, async () => {
+    const postHandlerTransform: Array<(settings: SettingsMap) => void | Promise<void>> = [];
+
     const settings = await readSettings(namespace);
+    if (namespace.toLowerCase() === "dev.replugged.settings") {
+      // Prevent the "apiUrl" setting from changing
+      const originalValue = settings.get("apiUrl");
+      postHandlerTransform.push((settings) => {
+        if (originalValue) {
+          settings.set("apiUrl", originalValue);
+        } else {
+          settings.delete("apiUrl");
+        }
+      });
+    }
+
     const res = await handler(settings);
+
+    for (const transform of postHandlerTransform) {
+      await transform(settings);
+    }
+
     await writeSettings(namespace, settings);
     return res;
   });

src/main/ipc/themes.ts

@@ -5,7 +5,7 @@ IPC events:
 */
 
 import { readFile, readdir, readlink, rm, stat } from "fs/promises";
-import { extname, join } from "path";
+import { extname, join, sep } from "path";
 import { ipcMain, shell } from "electron";
 import { RepluggedIpcChannels, type RepluggedTheme } from "../../types";
 import { theme } from "../../types/addon";
@@ -19,8 +19,14 @@ export const isFileATheme = (f: Dirent | Stats, name: string): boolean => {
 };
 
 async function getTheme(path: string): Promise<RepluggedTheme> {
+  const manifestPath = join(THEMES_DIR, path, "manifest.json");
+  if (!manifestPath.startsWith(`${THEMES_DIR}${sep}`)) {
+    // Ensure file changes are restricted to the base path
+    throw new Error("Invalid plugin name");
+  }
+
   const manifest: unknown = JSON.parse(
-    await readFile(join(THEMES_DIR, path, "manifest.json"), {
+    await readFile(manifestPath, {
       encoding: "utf-8",
     }),
   );
@@ -72,7 +78,13 @@ ipcMain.handle(RepluggedIpcChannels.LIST_THEMES, async (): Promise<RepluggedThem
 });
 
 ipcMain.handle(RepluggedIpcChannels.UNINSTALL_THEME, async (_, themeName: string) => {
-  await rm(join(THEMES_DIR, themeName), {
+  const themePath = join(THEMES_DIR, themeName);
+  if (!themePath.startsWith(`${THEMES_DIR}${sep}`)) {
+    // Ensure file changes are restricted to the base path
+    throw new Error("Invalid theme name");
+  }
+
+  await rm(themePath, {
     recursive: true,
     force: true,
   });

src/renderer/coremods/settings/pages/General.tsx

@@ -125,6 +125,7 @@ export const General = (): React.ReactElement => {
           <TextInput
             {...util.useSetting(generalSettings, "apiUrl")}
             placeholder="https://replugged.dev"
+            disabled
           />
         </FormItem>