There are several malicious reasons to compromise the terminal.
- Run some command in an unintended context, e.g. inject an additional command into a call to
sudo. - Run code in the context of the terminal computer, e.g. install a trojan when the user
sshinto a malicious server. - Learn information from the terminal's scrollback, e.g. server secrets.
- Learn information about the terminal computer, e.g. insert tracking pixel to learn real source IP.
To prevent against these threats, several steps have been taken.
-
Only parseable HTML is accepted. This is the primary mechanism by which untrusted JavaScript is prevented from getting into the terminal. All tags must be from the approved list of HTML and HTerminal components, and all attributes are screened against the approved list of attributes. If an attribute or tag cannot be parsed, it is not put into the terminal DOM.
-
The terminal has no access to external resources. The terminal window cannot access any resources other than those bundled with the program. All network requests are forbidden by the host program.
-
Insecure terminal reports are not acknowledged. Terminal escape codes like DECRQCRA and window title reporting can cause the terminal to send sensitive information and/or attacker-controlled strings as input to other programs. These escape codes are ignored by HTerminal.
-
The terminal is isolated from the host system. The terminal window does not have any special access to the host system beyond its communication channel with the shell. Electron-specific features are not exposed to the terminal window.