Validating Downloaded Updates with Update.exe (Squirrel Updater)

[maoryadin]

Pre-flight checklist

• I have read the contribution documentation for this project.
• I agree to follow the code of conduct that this project uses.
• I have searched the issue tracker for a bug that matches the one I want to file, without success.

Electron Forge version

7.4.0

Electron version

v30.1.2

Operating system

Windows

Last known working Electron Forge version

No response

Expected behavior

The downloaded update should be validated (e.g., by checksum or signature verification) to prevent untrusted or corrupted files from being executed.

Actual behavior

using update.exe from Squirrel to download updates for my application. However, I’ve noticed that update.exe accepts any server URL, and my application will proceed with launching the downloaded update without any validation.

Steps to reproduce

Any guidance on how to set up this validation mechanism would be appreciated.

Additional information

No response

[erickzhao]

Hey @maoryadin, this is outside of the scope of Electron's security model. If someone has RCE access to your device, there's a lot of other ways to download arbitrary malicious code.

[erickzhao]

In the future, if you want to report a potential security vulnerability, please see https://github.com/electron/electron/security/policy

[felixrieseberg]

Hey @maoryadin, can you tell us more about the privilege escalation you're concerned about?

update.exe does indeed not perform any validation but the operating system should run its usual code signing checks. If an attacker has enough access to use update.exe to download and run a binary, they can also just download and run the binary without update.exe, right?

Let us know if we're missing anything!