devbookhq / devbook-palette Goto Github PK

Hello, I was able to execute code that would interact with the electron instance via the Mozilla interactive examples iFrames. You can watch an example of this vulnerability on YouTube. This is a common vulnerability involved with Electrons "nodeIntegration" property being set to true. You can read more about the vulnerability on Doyensec's Blog.

How to reproduce

The Mozilla interactive examples run inside an iFrame and allows you to modify and execute JavaScript. I was able to execute code inside the iFrame that would set the parent page of iFrame to a website of my choice. On the website of my choice I wrote JavaScript that would interact with the NodeJS process and execute programs require('child_process').exec().

Possible ways to fix the vulnerability.

1. Try running iFrames with the sandbox attribute

Hello,
it would be nice to have option to configure more shortcuts than just shortcut to display search window. I'm using i3 and I use Ctrl, win key and alt to switch between workspaces on different monitors, so alt + 1 or alt + 2, does not work for me to switch between docs and Stack Overflow. Cpprefernce in docs would be nice to have too.

Hello there and congratulations for this app 🎉 I really find it useful and let me speed up my searches, something that as developers we do hundreds of time per day 😂

Just wanted to let you know about an issue that I am facing, didn't find a better way than write here.

Basically, if you use the 'documentation' part of the app and you look for something on MDN, the example that most of the time is put on the top of the reference takes control over the keyboard navigation that is in place. This is a bit annoying because then I have to take my mouse to scroll 😊

I see that the app is built with React and Electron, I do have experience with the first and always wanted to get some for the latter. So I'll try to have a look at it in my spare time, that is not that much tbh.

Thank you once more for this!

This was such a good docs app. I was using it as an alternative to Dash on windows.

May I ask why did you make the decision to kill the project?

I really loved the simplicity and design of this app. Are you deciding on killing it or is it still going to receive updates and new doc additions?