I have an electron application and I’m using contextBridge.exposeInMainWorld to expose some ipcRenderer methods such as .on , .removeListener and .invoke, these methods are “protected” by having an if statement that checks if the “channel” passed is valid.
Using the following code:
const validateIPC = (channel) => {
if (!channel || !channel.startsWith("myapp:"))
return false;
return true;
};
contextBridge.exposeInMainWorld("electron", {
ipcRenderer: {
on(channel, listener) {
if (validateIPC(channel)) {
ipcRenderer.on(channel, (evt, message) => {
listener(evt, message);
});
}
},
removeListener(channel, listener) {
if (validateIPC(channel)) {
ipcRenderer.removeListener(channel, (evt, message) => {
listener(evt, message);
});
}
},
invoke(channel, data) {
if (validateIPC(channel)) {
return ipcRenderer.invoke(channel, data);
}
},
},
};
Is it safe to only check if the channel starts with some random string? I saw this on the source code of vscode available on github, however I also read some solutions using an array of strings to validate the channels. If it is safe why can’t I just expose it without checking if the channel startsWith some random name? Are there any default channel that can’t be exposed?