Set Electron Fuses flags for better security

build/fuses.js

@@ -0,0 +1,46 @@
+// https://github.com/electron-userland/electron-builder/issues/6365
+const path = require('path');
+const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses');
+const builder = require('electron-builder');
+
+async function addElectronFuses(context) 
+{
+    const { appOutDir, packager: { appInfo: { productFilename } }, electronPlatformName, arch } = context;
+
+    const ext = {
+        darwin: '.app',
+        win32: '.exe',
+        linux: [''],
+    }[electronPlatformName];
+
+    const IS_LINUX = electronPlatformName === 'linux';
+    const executableName = IS_LINUX
+        ? productFilename.replace('.', '') // Remove . from "draw.io"
+        : productFilename;
+
+    const electronBinaryPath = path.join(appOutDir, `${executableName}${ext}`);
+    console.log('Flipping fuses for: ', electronBinaryPath);
+
+    await flipFuses(electronBinaryPath, 
+    {
+        version: FuseVersion.V1,
+        [FuseV1Options.RunAsNode]: false, // Disables ELECTRON_RUN_AS_NODE
+        [FuseV1Options.EnableCookieEncryption]: true, // Enables cookie encryption
+        [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, // Disables the NODE_OPTIONS environment variable
+        [FuseV1Options.EnableNodeCliInspectArguments]: false, // Disables the --inspect and --inspect-brk family of CLI options
+        [FuseV1Options.OnlyLoadAppFromAsar]: true, // Enforces that Electron will only load your app from "app.asar" instead of its normal search paths
+        // https://github.com/electron-userland/electron-builder/issues/6930 (electron-builder uses its own asar packaging)
+        [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false, // TODO Enables validation of the app.asar archive on macOS
+        // Some reports it crashes when enabled on arm64
+        [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false, // TODO Loads V8 Snapshot from `browser_v8_context_snapshot.bin` for the browser process
+        // TODO Disables when moving to a custom protocol
+        [FuseV1Options.GrantFileProtocolExtraPrivileges]: true, // Grants the file protocol extra privileges
+        // Based on docs, this should be enabled for macOS on arm64
+        resetAdHocDarwinSignature: electronPlatformName === 'darwin' && (targetArch === builder.Arch.arm64 || arch === builder.Arch.universal),
+    });
+}
+
+module.exports = async (context) => 
+{
+    await addElectronFuses(context);
+};

electron-builder-appx.json

@@ -30,6 +30,7 @@
     "identityName": "draw.io.draw.ioDiagrams",
     "publisher": "CN=9E628CCB-BE04-4557-A5A8-81EC34B09733"
   },
+  "afterPack": "build/fuses.js",
   "fileAssociations": [
 	  {
 	  	"ext": "drawio",

electron-builder-linux-mac.json

@@ -35,6 +35,7 @@
     ]
   },
   "afterSign": "build/notarize.js",
+  "afterPack": "build/fuses.js",
   "dmg": {
   },
   "linux": {

electron-builder-snap.json

@@ -26,6 +26,7 @@
       "removable-media"
     ]
   },
+  "afterPack": "build/fuses.js",
   "fileAssociations": [
 	  {
 	  	"ext": "drawio",

electron-builder-win.json

@@ -48,6 +48,7 @@
   "portable": {
     "artifactName": "${productName}-${version}-windows-no-installer.${ext}"
   },
+  "afterPack": "build/fuses.js",
   "fileAssociations": [
 	  {
 	  	"ext": "drawio",

electron-builder-win32.json

@@ -39,6 +39,7 @@
   "portable": {
     "artifactName": "${productName}-ia32-${version}-windows-32bit-no-installer.${ext}"
   },
+  "afterPack": "build/fuses.js",
   "fileAssociations": [
 	  {
 	  	"ext": "drawio",

package.json

@@ -40,6 +40,7 @@
     "pdf-lib": "^1.17.1"
   },
   "devDependencies": {
+    "@electron/fuses": "^1.7.0",
     "@electron/notarize": "^2.2.0",
     "dotenv": "^16.3.1",
     "electron": "^28.1.0",