@xpn discovered that malicious repository branch names could result in XSS in the GitHub Desktop for Mac application. JavaScript environments in native applications often have access to APIs for accessing the filesystem or executing shell commands. GitHub Desktop relies on Chromium Embedded Framework, which exposes no such JavaScript APIs by default. However, in some JavaScript contexts an API may be exposed for accessing the filesystem. Still, we addressed this vulnerability under the assumption that it had the potential to result in arbitrary command execution.
The identified vulnerability was fixed by rendering user content elements using innerText
instead of innerHTML
. An audit of other XSS sinks was performed, resulting in several other XSS fixes. To provide further mitigation for possible future XSS vulnerabilities, a CSP policy was added to prevent the execution of inline JavaScript. These fixes and mitigations were included in GitHub Desktop for Mac version 220.
@xpn identified that malicious github-windows:
URLs could be crafted, leading to arbitrary remote code execution. The code checking additional arguments passed in the URL was not working as intended. This vulnerability was fixed in GitHub for Windows version 3.0.17.