Link Sanitization, Encrypting Cookies, and Electron.js Version

[masood]

📝 Provide a description of the new feature

Summary:
Thank you for designing the Gitify Desktop Application making it open-source and available. The application does a great job of gathering and managing github notifications. We list pointers of concern below that can help make the application more secure.

1. [Sanitizing Links] While the application uses shell.openExternal() when passing links to the user’s system, it will be helpful to ensure that such links do not use the file:/// protocol to avoid the execution of sensitive files on the user’s system. For example, passing shell.openExternal(file:///Applications/Emacs.app/Contents/MacOS/Emacs) will open the Emacs app on the user’s device if present.
2. [Encrypting Cookies]: Since the application syncs with external accounts, it will be helpful to store information in cookies and then use @electron/fuses to encrypt cookies on the filesystem. [Link]
3. [Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js and Chromium which is vulnerable to numerous known V8 and Blink attacks. We observed an existing issue for an upgrade to v22, which will be great for the app [Issue]. Upgrading to an even newer version will be a great idea as well [Link]

Thank you!

Platform(s) Affected:
Windows, Linux, MacOS

–
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago

➕ Additional Information

No response

[bmulholland]

Is this report AI generated? What's the threat model for the prioritization of #1 and #2?