[Bug]: 非严格配置 Electron Fuses 可能导致恶意代码执行

[Mas0nShi]

Issue Checklist

• I understand that issues are for feedback and problem solving, not for complaining in the comment section, and will provide as much information as possible to help solve the problem.
• I've looked at pinned issues and searched for existing Open Issues, Closed Issues, and Discussions, no similar issue or discussion was found.
• I've filled in short, clear headings so that developers can quickly identify a rough idea of what to expect when flipping through the list of issues. And not "a suggestion", "stuck", etc.

Platform

macOS

Version

v0.9.27

Bug Description

living off the land

参考：https://www.electronjs.org/blog/statement-run-as-node-cves

建议禁用 nodeCliInspect 以及 runAsNode

Steps To Reproduce

ELECTRON_RUN_AS_NODE=1 /Applications/Cherry\ Studio.app/Contents/MacOS/Cherry\ Studio inject.js

Expected Behavior

代码执行

Relevant Log Output

Additional Context

No response

[FischLu]

An attacker needs to already be able to execute arbitrary commands on the machine, either by having physical access to the hardware or by having achieved full remote code execution. This bears repeating: The vulnerability described requires an attacker to already have access to the attacked system.

攻击者需要已经拥有本地执行的能力, 如果他们有, 也大可不必去执行 js 来实现系统攻击, 直接运行 bash 或者他们自己的软件即可. 如果从一开始没有禁用 nodeIntegration, 突然禁用可能会出现意想不到的 bug, 需要逐一调试, 总体收益太低