GMS-2016-29: SSL Validation Defaults to False

April 22, 2016

electron-packager is a command line tool that packages Electron source code into .app and .exe packages. along with Electron. - The --string-ssl command line option defaults to false if not explicitly set to true This could allow an attacker to Man In The Middle (MITM) the step where electron-packager does the following step: “Download all supported target platforms and arches of Electron using the installed electron-prebuilt version (and cache the downloads in ~/.electron)” effecting the integrity of the package and the cached downloads in ~/.electron. This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.

References

github.com/electron-userland/electron-packager/issues/333

Code Behaviors & Features

Detect and mitigate GMS-2016-29 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →