[MM-44229] Ignore and untrust cross-origin certificates from existing Mattermost servers (#2205)

2022-07-20 17:09:12 -04:00
parent ad3e1500cc
commit 40c072981a
2 changed files with 26 additions and 0 deletions
--- a/src/main/app/app.test.js
+++ b/src/main/app/app.test.js
@@ -20,6 +20,13 @@ jest.mock('electron', () => ({
    },
 }));

+jest.mock('common/config', () => ({
+    teams: [{
+        name: 'test-team',
+        url: 'http://server-1.com',
+    }],
+}));
+
 jest.mock('main/app/utils', () => ({
    getDeeplinkingURL: jest.fn(),
    openDeepLink: jest.fn(),
@@ -40,6 +47,7 @@ jest.mock('main/tray/tray', () => ({}));
 jest.mock('main/windows/windowManager', () => ({
    getMainWindow: jest.fn(),
    getViewNameByWebContentsId: jest.fn(),
+    getServerNameByWebContentsId: jest.fn(),
    viewManager: {
        views: new Map(),
    },
@@ -96,6 +104,7 @@ describe('main/app/app', () => {

        beforeEach(() => {
            WindowManager.getMainWindow.mockReturnValue(mainWindow);
+            WindowManager.getServerNameByWebContentsId.mockReturnValue('test-team');
        });

        afterEach(() => {
@@ -119,6 +128,11 @@ describe('main/app/app', () => {
            expect(callback).toHaveBeenCalledWith(true);
        });

+        it('should ignore and untrust when the origin of the certificate does not match the server URL', () => {
+            handleAppCertificateError(event, webContents, 'http://a-different-url.com', 'error-1', certificate, callback);
+            expect(callback).toHaveBeenCalledWith(false);
+        });
+
        it('should not show additional dialogs if certificate error has already been logged', () => {
            certificateErrorCallbacks.set('http://server-1.com:error-1', callback);
            handleAppCertificateError(event, webContents, testURL, 'error-1', certificate, callback);
--- a/src/main/app/app.ts
+++ b/src/main/app/app.ts
@@ -5,6 +5,7 @@ import {app, BrowserWindow, Event, dialog, WebContents, Certificate} from 'elect
 import log from 'electron-log';

 import urlUtils from 'common/utils/url';
+import Config from 'common/config';

 import updateManager from 'main/autoUpdater';
 import CertificateStore from 'main/certificateStore';
@@ -91,6 +92,17 @@ export async function handleAppCertificateError(event: Event, webContents: WebCo
    // update the callback
        const errorID = `${origin}:${error}`;

+        const serverName = WindowManager.getServerNameByWebContentsId(webContents.id);
+        const server = Config.teams.find((team) => team.name === serverName);
+        if (server) {
+            const serverURL = urlUtils.parseURL(server.url);
+            if (serverURL && serverURL.origin !== origin) {
+                log.warn(`Ignoring certificate for unmatched origin ${origin}, will not trust`);
+                callback(false);
+                return;
+            }
+        }
+
        // if we are already showing that error, don't add more dialogs
        if (certificateErrorCallbacks.has(errorID)) {
            log.warn(`Ignoring already shown dialog for ${errorID}`);