mirror of
https://github.com/wailsapp/wails.git
synced 2026-03-15 15:15:51 +01:00
330bc4e3de
The handleInstallDependency endpoint was vulnerable to command injection attacks. User-provided commands were split and executed directly without validation, allowing attackers to run arbitrary commands. Changes: - Add whitelist of allowed commands (package managers only) - Validate commands against whitelist before execution - Handle privilege escalation commands (sudo/pkexec/doas) by also validating the elevated command - Reject any command not in the whitelist with a clear error message The whitelist includes common package managers across platforms: - Linux: apt, dnf, pacman, zypper, emerge, eopkg, nix-env - macOS: brew, port - Windows: winget, choco, scoop Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| frontend | ||
| defaults.go | ||
| wizard.go | ||
| wizard_darwin.go | ||
| wizard_linux.go | ||
| wizard_windows.go | ||