[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security audit
From: |
Michael McMahon |
Subject: |
Re: Security audit |
Date: |
Thu, 27 Jan 2022 09:29:24 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.14.0 |
Hi, Libor!
Can I get an invite to the meetings?
I do not think we need to run the website through the security review.
The security of the webserver is dependent on the security of the forge
and the commit access of contributors. If the repo is compromised, then
the web server might run code that it should not or display content that
it should not. This would be separate security concerns from the
webextension. It would be best to use our two pentesting days on the
extension itself rather than digging into Python and Pelican dependencies.
Best,
Michael McMahon | Web Developer, Free Software Foundation
GPG Key: 4337 2794 C8AD D5CA 8FCF FA6C D037 59DA B600 E3C0
https://fsf.org
US government employee? Use CFC charity code 63210 to support us through the
Combined Federal Campaign. https://cfcgiving.opm.gov/
On 1/27/22 2:44 AM, Libor Polčák wrote:
Hello all,
We should have our NLNet sponsored security audit soon. So far I
learned (copied from chat with the auditor):
"First some organizational topics: as you've noticed, we're working a
lot with interactive chats here in our Rocketchat instance. Your
accounts will also give access to the corresponding internal Gitlab
project. I will be using the issue tracker to document topics during
the evaluation. Feel free to comment on issues I create, that way we
can have a more focused discussion on a technical topic if necessary.
Typically, I do a kickoff- and closing meeting of ~60-90min each, with
work in between stretched over a 1.5-2W calendar time frame so that
there is time for feedback.
ROS can be a busy place - I have some other projects that are
beginning or ending at the moment, but expect to have time for the
kickoff meeting and some initial work next week.
We're here to give you developer-level internal feedback on your
project. There will be a short summary report, but this is not the
focus of the evaluation and mainly meant for internal use (unless
discussed otherwise).
Overall, there are 2 person days of pentester worktime for this
project, which includes communication and documentation, so I will be
mainly looking at "low-hanging fruit" like dangerous code use,
vulnerable dependencies and so on. Feel free to point out design
aspects or code positions in the code that you think are particularly
important for the evaluation."
I think that it sounds reasonable and useful.
Please, if you did not receive an invitation to the chat and want to
be a part of the audit, let me know. If you received an invitation,
please, register.
Do we have any design aspects or code that is particularly important
for the evaluation?
I see some topics that might be important:
1. Code injection by the NSCL library. But AFAIK the NSCL is also a
NLNet project so it will have a separate review. If this is so, we can
also merge the two audits. Giorgio, what do you think?
2. Evasion of the wrappers and/or FPD. I am unsure if we can get a
reasonable feedback for this since this is highly specialized topic.
3. Detection of the extension. We already know that there are multiple
ways of detecting the extension like
https://github.com/polcak/jsrestrictor/issues/166, observing
timestamps (e.g. Date.now()) in a loop, diploma thesis
https://www.fit.vut.cz/study/thesis-file/23972/23972.pdf (page 46 and
47, but most anomalies and inconsistences should be resolved by now,
it is in Czech but the table should be readable even without
translation), and there are likely others.
4. Do we want to evaluate the web? Neither Ricardo, nor Ana is listed
in the review, so if you want to be a part of the process, please, let
me know.
Thanks,
Libor