Merge pull request #1381 from crypto-com/dev

Internal Release v1.4.4

Author: crypto-matto

CHANGELOG.md

@@ -5,6 +5,9 @@ All notable changes to this project will be documented in this file.
 *Unreleased*
 
 *Released*
+## [v1.4.4] - 2023-09-21
+### Additions
+- Security enhancement on DApp Browser
 ## [v1.4.3] - 2023-09-13
 ### Bug Fixes
 - Fix malfunctioned Staking services 

electron/main.ts

@@ -12,6 +12,7 @@ import Store from 'electron-store';
 import { APP_PROTOCOL_NAME } from '../src/config/StaticConfig';
 
 import { getGAnalyticsCode, getUACode, actionEvent, transactionEvent, pageView } from './UsageAnalytics';
+import { isValidURL } from './utils';
 
 remoteMain.initialize();
 
@@ -192,6 +193,16 @@ app.on('ready', async function () {
   }
 });
 
+app.on('web-contents-created', (event, contents) => {
+  if (contents.getType() == 'webview') {
+    contents.on('will-navigate', (event, url) => {
+      if (!isValidURL(url)) {
+        event.preventDefault();
+      }
+    })
+  }
+})
+
 ipcMain.handle('get_auto_update_expire_time', (event) => {
   return store.get('autoUpdateExpireTime');
 });

electron/utils.ts

@@ -0,0 +1,11 @@
+export function isValidURL(str: string) {
+    const regex = new RegExp(
+      '^(http[s]?:\\/\\/(www\\.)?|www\\.){1}([0-9A-Za-z-\\.@:%_+~#=]+)+((\\.[a-zA-Z]{2,3})+)(/(.)*)?(\\?(.)*)?', // lgtm [js/redos]
+    );
+  
+    const withoutPrefixRegex = new RegExp(
+      '^([0-9A-Za-z-\\.@:%_+~#=]+)+((\\.[a-zA-Z]{2,3})+)(/(.)*)?(\\?(.)*)?', // lgtm [js/redos]
+    );
+    return regex.test(str) || withoutPrefixRegex.test(str);
+}
+  

package.json

@@ -1,6 +1,6 @@
 {
   "name": "chain-desktop-wallet",
-  "version": "1.4.3",
+  "version": "1.4.4",
   "description": "Crypto.com DeFi Desktop Wallet App",
   "repository": "github:crypto-com/chain-desktop-wallet",
   "author": "Crypto.com <contact@crypto.com>",