Security fixes proposed (implemented on my fork)

[soulwax]

Please evaluate if you are interested in a small pull request:

The core problem: Electron's trust boundary was disabled

the renderer (browser) should not have direct access to the main process (Node.js). Three settings collapse this boundary entirely:

nodeIntegration: true gave the renderer full node.js access. Any XSS or content injection in the renderer becomes full remote code execution on the user's machine.
webSecurity: false — disabled the same-origin policy. Any external content loaded in the app could freely interact with internal resources.
contextIsolation was not explicitly set — relying on Electron defaults for the most critical security setting is fragile across version upgrades (?)

The underlying architecture is top notch but BrowserWindow config is undermining it.

IPC handlers accepted arbitrary paths

Multiple IPC handlers (db:move, db:migrate, db:restore, db:delete-backup, fs:assets) accept file paths from the renderer with no validation.

It may be of lower risk with the app's own UI as the only caller, any compromise of the renderer (or future attack surface) could read or write arbitrary files. Path traversal checks (.. detection) are the minimum safeguard imho.

shell.openExternal had no protocol validation

This API opens URLs in the user's default browser or OS handler. Without protocol validation a file://, javascript:, or custom protocol URL could be passed through. Restricting to http:/https: could be entirely useless in the case of the current architecture but worth noting.

The preload bridge exposed a db.query(sql, params)function that allowes arbitrary SQL execution from the renderer. It was never actually called anywhere in the codebase from my analysis — but its mere existence meant any renderer compromise had direct database access. Just dead code that allows for arbitrary code execution in my eyes.

Possibly intended:

API open to any website

The local Elysia REST API runs with cors({ origin: '*' })
As an electron app is this necessary to not restrict?

[antonreshetov]

Thanks for the detailed security review! I've verified each point against the codebase. Here's my response:

nodeIntegration: true — You're right that it's set explicitly. However, contextIsolation is actually enabled (it's the default since Electron v12, and our preload.ts uses contextBridge.exposeInMainWorld, which only works with contextIsolation: true). So the renderer doesn't get direct Node.js access. That said, I agree it's better to explicitly set nodeIntegration: false to make the intent clear.

webSecurity: false — This was a deliberate decision (it's even in the changelog). It's needed for loading local resources like images from the file system. Since the app doesn't load any remote/untrusted content in the renderer, the practical risk is low — but I understand the concern.

IPC handlers accepting paths — Confirmed, though all these handlers are only called from the app's own UI with paths coming from Electron's native file dialogs (dialog.showOpenDialog). The fs:assets handler specifically extracts only the extension from the filename and generates a new name via nanoid(), so path traversal isn't possible there. Adding validation is reasonable as defense-in-depth.

shell.openExternal — All callers pass hardcoded https:// URLs from the menu. The IPC handler is only reachable from our own renderer, which is isolated via contextBridge and doesn't load any external content. If the renderer were compromised, protocol validation on a single handler wouldn't provide meaningful protection anyway.

db.query in preload — Good catch. This is dead code — there's no corresponding ipcMain.handle('db-query', ...) registered anywhere, so it doesn't actually work. And it's not called anywhere in the renderer either. But I agree it should be removed. Will do.

CORS origin: '*' — This is by design. The local REST API exists specifically for third-party integrations — the VS Code extension, Raycast extension, and any other tools users want to connect. Restricting the origin would break these integrations. The API is documented with Swagger and is an intentional feature of the app.

I will make some fixes in future versions.

[soulwax]

I can implement the issues you acknowledged, just give me the go and I will do a PR