Skip to content

Electron hardening: sandbox disabled, LD_LIBRARY_PATH leaks bundled libpython to shelled-out tools #40

Description

@I4cTime

Summary

Two lower-severity hardening gaps in the Electron shell:

  1. sandbox: false (electron/main.ts:365) - disabling the Chromium sandbox removes OS-level process isolation and gives the preload full Node access, enlarging the blast radius of any renderer/preload compromise. (contextIsolation/nodeIntegration:false are correct; the sandbox is the load-bearing layer and there's no comment justifying its removal.)
  2. LD_LIBRARY_PATH leak (electron/main.ts:115-118) - the bundled python/runtime/lib (glibc-locked python-build-standalone libs) is prepended to LD_LIBRARY_PATH and inherited by every process the backend spawns. For a tool that shells out to proton/steam/mangohud/vulkan helpers, this can make host binaries dlopen mismatched shared libraries and crash/misbehave.

Fix

Enable the sandbox (or document why not); scope LD_LIBRARY_PATH to the Python child only, not the inherited env of downstream tools.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: electronElectron shell / main / preloadsecuritySecurity hardening or vulnerabilityseverity: lowLow severity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions