Spaces:
Runtime error
Runtime error
Create src/lib/pm-security-manager-download-util.js
Browse files
src/lib/pm-security-manager-download-util.js
ADDED
|
@@ -0,0 +1,108 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
// Upstream TW list from tw-security-manager-modal, but we use this list to skip stuff not in here.
|
| 2 |
+
// Technically that is a security risk, but having a constant prompt for downloading innocent files
|
| 3 |
+
// like save data would be annoying.
|
| 4 |
+
//
|
| 5 |
+
// Common unsafe files will likely have an OS prompt, and uncommon unsafe files are likely from
|
| 6 |
+
// other software that the user installed, and is aware of what that software will do with said file.
|
| 7 |
+
const DEFINITELY_EXECUTABLE = [
|
| 8 |
+
// Entries should be lowercase and without leading period.
|
| 9 |
+
// Note that the user will have the final choice of whether or not to open the downloaded file.
|
| 10 |
+
// A file extension missing from this list is a bug we want to fix, but not a security bug that
|
| 11 |
+
// would be eligible for a vulnerability badge.
|
| 12 |
+
|
| 13 |
+
// Anything that is missing here should also be added to the upstream TW list if it's missing there.
|
| 14 |
+
|
| 15 |
+
// Windows executable formats
|
| 16 |
+
'exe',
|
| 17 |
+
'msi',
|
| 18 |
+
'msix',
|
| 19 |
+
'msixbundle',
|
| 20 |
+
'com',
|
| 21 |
+
'scf',
|
| 22 |
+
'scr',
|
| 23 |
+
'sct',
|
| 24 |
+
'dll',
|
| 25 |
+
'appx',
|
| 26 |
+
'appxbundle',
|
| 27 |
+
'reg',
|
| 28 |
+
'iso',
|
| 29 |
+
'drv',
|
| 30 |
+
'sys',
|
| 31 |
+
|
| 32 |
+
// Mac executable formats
|
| 33 |
+
'app',
|
| 34 |
+
'dmg',
|
| 35 |
+
'pkg',
|
| 36 |
+
|
| 37 |
+
// Unix executable formats
|
| 38 |
+
'so',
|
| 39 |
+
'a',
|
| 40 |
+
'run',
|
| 41 |
+
'appimage',
|
| 42 |
+
'deb',
|
| 43 |
+
'rpm',
|
| 44 |
+
'snap',
|
| 45 |
+
'flatpakref',
|
| 46 |
+
|
| 47 |
+
// Cross-platform executable formats
|
| 48 |
+
'jar',
|
| 49 |
+
|
| 50 |
+
// Browser extensions
|
| 51 |
+
'crx',
|
| 52 |
+
'xpi',
|
| 53 |
+
|
| 54 |
+
// Shortcuts
|
| 55 |
+
'url',
|
| 56 |
+
'webloc',
|
| 57 |
+
'inetloc',
|
| 58 |
+
'lnk',
|
| 59 |
+
'shortcut',
|
| 60 |
+
|
| 61 |
+
// Windows scripting languages
|
| 62 |
+
'bat',
|
| 63 |
+
'cmd',
|
| 64 |
+
'ps1',
|
| 65 |
+
'psm1',
|
| 66 |
+
'asp',
|
| 67 |
+
'vbs',
|
| 68 |
+
'vbe',
|
| 69 |
+
'ws',
|
| 70 |
+
'wsf',
|
| 71 |
+
'wsc',
|
| 72 |
+
'ahk',
|
| 73 |
+
|
| 74 |
+
// Microsoft Office macros
|
| 75 |
+
'docm',
|
| 76 |
+
'dotm',
|
| 77 |
+
'xlm',
|
| 78 |
+
'xlsm',
|
| 79 |
+
'xltm',
|
| 80 |
+
'xla',
|
| 81 |
+
'xlam',
|
| 82 |
+
'pptm',
|
| 83 |
+
'potm',
|
| 84 |
+
'ppsm',
|
| 85 |
+
'sldm',
|
| 86 |
+
|
| 87 |
+
// Unix scripting languages
|
| 88 |
+
'sh',
|
| 89 |
+
|
| 90 |
+
// Common cross-platform languages with interpreters that could be executed by double clicking on the file
|
| 91 |
+
'js',
|
| 92 |
+
'py'
|
| 93 |
+
];
|
| 94 |
+
|
| 95 |
+
/**
|
| 96 |
+
* @param {string} name Name of file
|
| 97 |
+
* @returns {boolean} True indicates definitely dangerous. False does not mean safe.
|
| 98 |
+
*/
|
| 99 |
+
const isDefinitelyExecutable = name => {
|
| 100 |
+
const parts = name.split('.');
|
| 101 |
+
const extension = parts.length > 1 ? parts.pop().toLowerCase() : null;
|
| 102 |
+
return extension !== null && DEFINITELY_EXECUTABLE.includes(extension);
|
| 103 |
+
};
|
| 104 |
+
|
| 105 |
+
export {
|
| 106 |
+
DEFINITELY_EXECUTABLE,
|
| 107 |
+
isDefinitelyExecutable,
|
| 108 |
+
};
|