browser-window: Prevent drag and drop events.

This stops a remote code execution via drag and drop event in
the main/renderer process.

Fixes #453.

Author: akashnimare

app/renderer/about.html

@@ -1,45 +1,50 @@
 <!DOCTYPE html>
 <html lang="en">
-	<head>
-		<meta charset="UTF-8">
-		<link rel="stylesheet" href="css/about.css">
-	</head>
-	<body>
+
+<head>
+	<meta charset="UTF-8">
+	<link rel="stylesheet" href="css/about.css">
+</head>
+
+<body>
 	<div class="about">
 		<img class="logo" src="../resources/zulip.png" />
 		<p class="detail" id="version">v?.?.?</p>
 		<div class="maintenance-info">
 			<p class="detail maintainer">
-				Maintained by <a onclick="linkInBrowser('website')">Zulip</a>
+				Maintained by
+				<a onclick="linkInBrowser('website')">Zulip</a>
 			</p>
 			<p class="detail license">
-				Available under the <a onclick="linkInBrowser('license')">Apache 2.0 License</a>
+				Available under the
+				<a onclick="linkInBrowser('license')">Apache 2.0 License</a>
 			</p>
 			<a class="bug" onclick="linkInBrowser('bug')" href="#">Found bug?</a>
 		</div>
 	</div>
 	<script>
 
-	const { app } = require('electron').remote;
-	const { shell } = require('electron');
-	const version_tag = document.querySelector('#version');
-	version_tag.innerHTML = 'v' + app.getVersion();
+		const { app } = require('electron').remote;
+		const { shell } = require('electron');
+		const version_tag = document.querySelector('#version');
+		version_tag.innerHTML = 'v' + app.getVersion();
 
-	function linkInBrowser(type) {
-		let url;
-		switch (type) {
-			case 'website': 
-				url = "https://zulipchat.com";
-				break;
-			case 'license': 
-				url = "https://github.com/zulip/zulip-electron/blob/master/LICENSE";
-				break;
-			default:
-				url = 'https://github.com/zulip/zulip-electron/issues/new?body=' + 
-				      '%3C!--Please%20describe%20your%20issue%20and%20steps%20to%20reproduce%20it.--%3E';
+		function linkInBrowser(type) {
+			let url;
+			switch (type) {
+				case 'website':
+					url = "https://zulipchat.com";
+					break;
+				case 'license':
+					url = "https://github.com/zulip/zulip-electron/blob/master/LICENSE";
+					break;
+				default:
+					url = 'https://github.com/zulip/zulip-electron/issues/new?body=' +
+						'%3C!--Please%20describe%20your%20issue%20and%20steps%20to%20reproduce%20it.--%3E';
+			}
+			shell.openExternal(url);
 		}
-		shell.openExternal(url);
-	}
 	</script>
-	</body>
+	<script>require('./js/shared/preventdrag.js')</script>
+</body>
 </html>

app/renderer/js/preload.js

@@ -8,6 +8,9 @@ const ConfigUtil = require(__dirname + '/utils/config-util.js');
 // eslint-disable-next-line import/no-unassigned-import
 require('./notification');
 
+// Prevent drag and drop event in main process which prevents remote code executaion
+require(__dirname + '/shared/preventdrag.js');
+
 const logout = () => {
 	// Create the menu for the below
 	document.querySelector('.dropdown-toggle').click();

app/renderer/js/shared/preventdrag.js

@@ -0,0 +1,17 @@
+'use strict';
+
+// This is a security fix. Following function prevents drag and drop event in the app
+// so that attackers can't execute any remote code within the app
+// It doesn't affect the compose box so that users can still
+// use drag and drop event to share files etc
+
+const preventDragAndDrop = () => {
+	const preventEvents = ['dragover', 'drop'];
+	preventEvents.forEach(dragEvents => {
+		document.addEventListener(dragEvents, event => {
+			event.preventDefault();
+		});
+	});
+};
+
+preventDragAndDrop();

app/renderer/main.html

@@ -44,4 +44,5 @@
   </div>
 </body>
 <script src="js/main.js"></script>
+<script>require('./js/shared/preventdrag.js')</script>
 </html>

app/renderer/network.html

@@ -17,5 +17,6 @@
       <div id="reconnect">Try now</div>
     </div>
   </body>
-  <script src="js/pages/network.js"></script>  
+  <script src="js/pages/network.js"></script>
+  <script>require('./js/shared/preventdrag.js')</script>
 </html>

app/renderer/preference.html

@@ -13,4 +13,5 @@
     </div>
   </body>
   <script src="js/pages/preference/preference.js"></script>
+  <script>require('./js/shared/preventdrag.js')</script>
 </html>