Executable/script file download security

[DNin01]

You can download a file with any content with the Files TurboWarp extension. This can become problematic when projects download executable files such as .exe, .js, .py, .bat, .ps1, etc., and if someone is ambitious enough, could become a delivery mechanism for unwanted software.

So, I suggest that TurboWarp should ask users for permission to download a file that is an executable, noting that these files can contain malware and that you're not responsible for damage caused by files like these.

[GarboMuffin]

This is seems reasonable

(if you are aware of anyone actually doing this in the wild -> email [email protected])

[Secret-chest]

A checkbox to allow the next downloads would be nice.

[Secret-chest]

I think we can warn about SH, PY, DEB, RPM, ZIP, TAR, TAR.GZ, TAR.BZ, RAR, 7Z, BAT, JS, PERL, RB, JAR, PS1, RUN, and anything beginning with #!

[DNin01]

On top of Secret-chest's suggestions, here are a few more files people should be aware of:

Executables and scripts: .exe, .msi, .scr, .com, .bin, .iso, .img, .vbs, .psm1, .lnk, .app, .ahk, .pyc, .go,

Documents: .pdf, .html; Microsoft 365 documents: .docx, .xlsx, .pptx, .dotx, .xltx, .potx, .docm, .xlsm, .pptm, .dotm, .xltm, .potm

And all the JavaScript/TypeScript and C language file extensions.

---

Here is another idea for a prompt:

The project wants to download the file: "FILENAME"

This file could contain executable code which has not been reviewed by the TurboWarp developers and may be dangerous or malicious.

After clicking "Allow", maybe further file downloads with the same file extension could be allowed. (Ex. you could download multiple .zip files in a row after allowing the first one but then if a .pdf or something comes in you'd be asked again.)

Also, on the prompt, maybe the file extension should be highlighted and the file name could be gray, to draw attention to the file extension specifically.

[CubesterYT]

How can document files be malicious? Sorry I just like to know, cause it intrigued me

[DNin01]

How can document files be malicious? Sorry I just like to know, cause it intrigued me

Apparently, PDFs can contain scripts that can run and do potentially harmful things in some PDF viewers. And M365 documents (Word, Excel, PowerPoint, etc.) can contain macros, which, if enabled, can also do harm.

HTML files are the safest because they open in a browser, but they can still do things like steal entered information such as passwords, using bundled JavaScript.

[Secret-chest]

If we can, we should also strip the Unix executable flag.

[GarboMuffin]

The executable bit of the file itself is handled by your browser, should always be off by default

An exception to that is formats like zip and tar.gz which can specify the bits for the files that will get created when you extract it

[GarboMuffin]

Something like this is in staging right now, to be in production soon

[DNin01]

I think asking before saving any file is a great idea! 1. You can cancel any download you don't want and 2. We won't have to make a comprehensive list of executable files. But it is still nice to point out the risks of executing files before downloading a file using one of the well-known executable or archive file formats.

Also keep in mind that some browsers may ask you where you want to save a download instead of immediately saving them to downloads. In Chrome and Edge, this is an option, and there might be an option in Safari too.

And TurboWarp already restricts iframes such as sandboxed extensions from downloading files using a content security policy so I assume we don't have to worry about unconfirmed downloads of any sort.

[Secret-chest]

Can we make it have an option to not ask for the same file type?

[DNin01]

I just tried out this new security modal. Great job!

I think you only missed a few:

• .app
• .drv
• .ws
• .sys