release: 4.6.61 scheme-validate open-external IPC

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
security: scheme-validate URLs handed to shell.openExternal
2026-05-11 04:12:51 +02:00 · 2026-05-11 04:12:51 +02:00
3 changed files with 17 additions and 4 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "twitch-vod-manager",
-  "version": "4.6.60",
+  "version": "4.6.61",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "twitch-vod-manager",
-      "version": "4.6.60",
+      "version": "4.6.61",
      "license": "MIT",
      "dependencies": {
        "axios": "^1.6.0",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "twitch-vod-manager",
-  "version": "4.6.60",
+  "version": "4.6.61",
  "description": "Twitch VOD Manager - Download Twitch VODs easily",
  "main": "dist/main.js",
  "author": "xRangerDE",
--- a/src/main.ts
+++ b/src/main.ts
@ -6975,7 +6975,20 @@ ipcMain.handle('install-update', () => {
 });

 ipcMain.handle('open-external', async (_, url: string) => {
-    await shell.openExternal(url);
+    // Only allow https / http URLs — never let the renderer push a
+    // file://, javascript:, or shell:-style URL through to the OS
+    // shell.openExternal handler. The renderer is contextIsolated +
+    // nodeIntegration: false, but an XSS through (e.g.) a streamer name
+    // smuggling a payload into a template would otherwise hand the
+    // attacker shell.openExternal which on Windows happily resolves
+    // file:///C:/Windows/System32/calc.exe.
+    if (typeof url !== 'string') return;
+    const trimmed = url.trim();
+    if (!/^https?:\/\//i.test(trimmed)) {
+        appendDebugLog('open-external-rejected', { url: trimmed.slice(0, 200) });
+        return;
+    }
+    await shell.openExternal(trimmed);
 });

 // Tracks active standalone clip downloads so cancel-download / window-all-closed