Limiting In-app Navigation, Santizing Links, and Electron.js Version Upgrade

[masood]

Thank you for designing the Kap Desktop Application making it open-source and available. The application is a useful screen recorder. We list pointers of concern below that can help make the application more secure.

1. [Preventing In-app Navigation] Since the app focuses on local functionality, it will be useful to prevent all attempts at in-app navigation to external domains by adding a listener on will-navigate and a handler function on setWindowOpenHandler.
2. [Sanitizing Links] Since the application calls shell.openExternal() on multiple occasions, it will be helpful to verify that links passed are sanitized and that they do not point to executable files (i.e., with a file: protocol).
3. [Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js (v13.6.9) and Chromium which is vulnerable to numerous known V8 and Blink attacks. Upgrading to an even newer version will be a great idea as well [Link]

Thank you!

–
Mir Masood Ali, PhD student, University of Illinois Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois Chicago
Chris Kanich, Associate Professor, University of Illinois Chicago
Jason Polakis, Associate Professor, University of Illinois Chicago