From dfc6970756074f3a9e65b6364b08824444b1b7d5 Mon Sep 17 00:00:00 2001
From: Lewis Crichton <lewi@lewisakura.moe>
Date: Thu, 28 Dec 2023 00:38:31 +0000
Subject: [PATCH] fix(security): use promise queue for steam pipe (#300)

this prevents an (unlikely) race condition where writing multiple large payloads to the pipe simultaneously could lead to jambled data => argument injection
---
 src/main/utils/steamOS.ts | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/main/utils/steamOS.ts b/src/main/utils/steamOS.ts
index 44eadac..8145e5a 100644
--- a/src/main/utils/steamOS.ts
+++ b/src/main/utils/steamOS.ts
@@ -17,6 +17,8 @@ const layoutVersion = 2;
 const layoutId = "3080264545"; // Vesktop Layout v2
 const numberRegex = /^[0-9]*$/;
 
+let steamPipeQueue = Promise.resolve();
+
 export const isDeckGameMode = process.env.SteamOS === "1" && process.env.SteamGamepadUI === "1";
 
 export function applyDeckKeyboardFix() {
@@ -39,18 +41,20 @@ function getAppId(): string | null {
     return null;
 }
 
-export async function execSteamURL(url: string): Promise<void> {
+export function execSteamURL(url: string) {
     // This doesn't allow arbitrary execution despite the weird syntax.
-    await writeFile(
-        join(process.env.HOME || "/home/deck", ".steam", "steam.pipe"),
-        // replace ' to prevent argument injection
-        `'${process.env.HOME}/.local/share/Steam/ubuntu12_32/steam' '-ifrunning' '${url.replaceAll("'", "%27")}'\n`,
-        "utf-8"
+    steamPipeQueue = steamPipeQueue.then(() =>
+        writeFile(
+            join(process.env.HOME || "/home/deck", ".steam", "steam.pipe"),
+            // replace ' to prevent argument injection
+            `'${process.env.HOME}/.local/share/Steam/ubuntu12_32/steam' '-ifrunning' '${url.replaceAll("'", "%27")}'\n`,
+            "utf-8"
+        )
     );
 }
 
-export async function steamOpenURL(url: string) {
-    await execSteamURL(`steam://openurl/${url}`);
+export function steamOpenURL(url: string) {
+    execSteamURL(`steam://openurl/${url}`);
 }
 
 export async function showGamePage() {