electroncapture/setFuses.js at master · steveseguin/electroncapture · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses');
const path = require('path');
const fs = require('fs');

async function setFuses(buildPath, electronBinaryPath) {
  console.log('Setting Electron fuses for enhanced security...');
  console.log('Binary path:', electronBinaryPath);

  try {
    await flipFuses(electronBinaryPath, {
      version: FuseVersion.V1,
      // CRITICAL: Disable RunAsNode to prevent ELECTRON_RUN_AS_NODE bypass
      [FuseV1Options.RunAsNode]: false,

      // Disable node options environment variable (prevents NODE_OPTIONS injection)
      [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,

      // Disable node CLI inspect arguments (prevents --inspect attacks)
      [FuseV1Options.EnableNodeCliInspectArguments]: false,

      // Enable cookie encryption for better security
      [FuseV1Options.EnableCookieEncryption]: true,

      // Keep these as default for compatibility
      [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false,
      [FuseV1Options.OnlyLoadAppFromAsar]: false,
      [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,

      // Keep this enabled as your app uses file:// protocol
      [FuseV1Options.GrantFileProtocolExtraPrivileges]: true
    });

    console.log('✓ Fuses set successfully');
  } catch (error) {
    console.error('✗ Error setting fuses:', error);
    throw error;
  }
}

module.exports = { setFuses };