Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSAllowsArbitraryLoads:true being labeled as a security issue #275

Open
redhat-raptor opened this issue Dec 3, 2019 · 6 comments
Open
Labels

Comments

@redhat-raptor
Copy link

Hello,

In file: https://github.com/julienXX/terminal-notifier/blob/master/Terminal%20Notifier/Terminal%20Notifier-Info.plist the value of NSAllowsArbitraryLoads has been set to true. A code scanning tool is labelling this as a security breach. May I know what this property is used for, please!?

I did a quick grep for NSAllowsArbitraryLoads in the source code, however, looks like no code is directly referencing the item. Could anyone clarify what this piece of config is really doing?

Apple also identifies this as a security issue here: https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity/nsallowsarbitraryloads

Help is appreciated!

@julienXX
Copy link
Owner

julienXX commented Dec 3, 2019

Hello @redhat-raptor this was added so that you could use icons with a http link (cf. https://github.com/julienXX/terminal-notifier/blame/3ba9ce569e234062d09c8fd01c4be11e56a9fd1b/Terminal%20Notifier/Terminal%20Notifier-Info.plist#L37)
I think this could be disabled, using simple http is really not a good practice nowadays.

@JayBrown
Copy link

JayBrown commented Mar 7, 2020

I heard from a guy who told me that terminal-notifier was flagged as "Trojan / AdLoad" by BitDefender. Maybe that's related?

@winnemucca
Copy link

winnemucca commented May 7, 2020

@julienXX how would we change that flag to false? The one in info.plist. I imagine we can fork it. Is this the only option?

@Yusuf023
Copy link

@julienXX Is there any change planned to disable this? A code scanning tool is referring to it as a critical security issue.

@julienXX
Copy link
Owner

@Yusuf023 sure, do you want to make a pull-request for this change?

idhruvs added a commit to idhruvs/terminal-notifier that referenced this issue Jan 28, 2021
@idhruvs
Copy link

idhruvs commented Jan 28, 2021

Hi! I have created a new pull-request for resolving this issue.
#285 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants