[SecurityUtils] Self rewrite, also with safer patch plus using non-deprecated API

README.md

@@ -20,11 +20,12 @@
 **If using Linux it is highly recommended to disable write protection** (needing root to overwrite files) for your Discord install if you have it enabled. It is not much of a security defecit as Windows has no write protection as well. This enables updating the asar and potentially host updating further on.
 
 ## Config
-You can configure OpenAsar via `settings.json` (found in your Discord app data / user data), under a `openasar` object. Keep in mind most options are defaults for good reason, they may temporarily brick your client until you revert your changes. The avaliable options are:
+You can configure OpenAsar via `settings.json` (found in your Discord app data / user data), under a `openasar` object. Keep in mind most options are defaults for good reason. The avaliable options are:
 - `quickstart` (bool, default false) - whether to use Quickstart (experimental)
 - `skipStartupUpdateChecks` (bool, default false) - skips startup update checking (Linux-only)
 - `autoupdate` (bool, default true) - whether to autoupdate OpenAsar after Discord startup
 - `multiInstance` (bool, default false) - whether to enable multi-instance
+- `ssoeAllowlist` (bool, default true) - whether to use safer custom method of opening external urls (true) or normal Discord's method (false)
 
 An example of a settings.json with OpenAsar config:
 ```json

roadmap.md

@@ -12,5 +12,5 @@
   - [X] `windowsUtils`
   - [X] `Settings`
   - [X] `Backoff`
-  - [ ] `securityUtils`
+  - [X] `securityUtils`
 - [ ] Compatibility / replication of original Discord splash

src/utils/securityUtils.js

@@ -1,45 +1,36 @@
-"use strict";
+const { shell } = require('electron');
 
-Object.defineProperty(exports, "__esModule", {
+const BLOCKED_URL_PROTOCOLS = ['file:', 'javascript:', 'vbscript:', 'data:', 'about:', 'chrome:', 'ms-cxh:', 'ms-cxh-full:', 'ms-word:']; // From Discord
-  value: true
+const allowedProtocols = [ 'https:', 'http:' ];
-});
-exports.saferShellOpenExternal = saferShellOpenExternal;
-exports.checkUrlOriginMatches = checkUrlOriginMatches;
 
-var _electron = require("electron");
+exports.saferShellOpenExternal = (url) => {
+  let parsed;
 
-var _url = _interopRequireDefault(require("url"));
+  try {
-
+    parsed = new URL(url);
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+  } catch (_e) { return Promise.reject(); }
-
-const BLOCKED_URL_PROTOCOLS = ['file:', 'javascript:', 'vbscript:', 'data:', 'about:', 'chrome:', 'ms-cxh:', 'ms-cxh-full:', 'ms-word:'];
 
-function saferShellOpenExternal(externalUrl) {
+  const protocol = parsed.protocol?.toLowerCase();
-  let parsedUrl;
 
-  try {
+  let disallowed = false;
-    parsedUrl = _url.default.parse(externalUrl);
+  if (oaConfig.ssoeAllowlist === false) { // Allow config option to use traditional Discord check for compatibility
-  } catch (_) {
+    if (!protocol || BLOCKED_URL_PROTOCOLS.includes(protocol)) disallowed = true;
-    return Promise.reject();
+  } else {
+    if (!allowedProtocols.includes(protocol)) disallowed = true;
   }
 
-  if (parsedUrl.protocol == null || BLOCKED_URL_PROTOCOLS.includes(parsedUrl.protocol.toLowerCase())) {
+  if (disallowed) return Promise.reject();
-    return Promise.reject();
-  }
 
-  return _electron.shell.openExternal(externalUrl);
+  return shell.openExternal(url);
-}
+};
 
-function checkUrlOriginMatches(urlA, urlB) {
+exports.checkUrlOriginMatches = (url1, url2) => {
-  let parsedUrlA;
+  let parse1, parse2;
-  let parsedUrlB;
 
   try {
-    parsedUrlA = _url.default.parse(urlA);
+    parse1 = new URL(url1);
-    parsedUrlB = _url.default.parse(urlB);
+    parse2 = new URL(url2);
-  } catch (_) {
+  } catch (_e) { return Promise.reject(); }
-    return false;
-  }
 
-  return parsedUrlA.protocol === parsedUrlB.protocol && parsedUrlA.slashes === parsedUrlB.slashes && parsedUrlA.host === parsedUrlB.host;
+  return parse1.protocol === parse2.protocol && parse1.host === parse2.host;
-}
+};