From 7d5c276f436e0949bd46f7ba5b93b10abee52273 Mon Sep 17 00:00:00 2001
From: Seiya Yazaki <saiya.v6@gmail.com>
Date: Tue, 16 Jul 2019 09:36:47 +0900
Subject: [PATCH] Reject non http(s) to open with shell

---
 main.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/main.js b/main.js
index 1b10d6c..7cae816 100644
--- a/main.js
+++ b/main.js
@@ -313,7 +313,12 @@ function registerToOpenUrl(webview, shell) {
   webview.addEventListener('new-window', openExternalUrl);
 }
 function openExternalUrl(event){
-  shell.openExternal(event.url);
+  const url = event.url;
+  // https://electronjs.org/docs/tutorial/security#14-do-not-use-openexternal-with-untrusted-content
+  // Page 20 of https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
+  if (url.startsWith('http://') || url.startsWith('https://')) {
+    shell.openExternal(url);
+  }
 };
 function getChannelUrl(baseUrl, channel) {
   const url = 'messages/' + channel;