js-shield
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security audit


From: Michael McMahon
Subject: Re: Security audit
Date: Thu, 27 Jan 2022 09:29:24 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.14.0

Hi, Libor!

Can I get an invite to the meetings?

I do not think we need to run the website through the security review.  The security of the webserver is dependent on the security of the forge and the commit access of contributors.  If the repo is compromised, then the web server might run code that it should not or display content that it should not.  This would be separate security concerns from the webextension.  It would be best to use our two pentesting days on the extension itself rather than digging into Python and Pelican dependencies.

Best,
Michael McMahon | Web Developer, Free Software Foundation
GPG Key: 4337 2794 C8AD D5CA 8FCF  FA6C D037 59DA B600 E3C0
https://fsf.org

US government employee? Use CFC charity code 63210 to support us through the
Combined Federal Campaign. https://cfcgiving.opm.gov/

On 1/27/22 2:44 AM, Libor Polčák wrote:
Hello all,

We should have our NLNet sponsored security audit soon. So far I learned (copied from chat with the auditor):

"First some organizational topics: as you've noticed, we're working a lot with interactive chats here in our Rocketchat instance. Your accounts will also give access to the corresponding internal Gitlab project. I will be using the issue tracker to document topics during the evaluation. Feel free to comment on issues I create, that way we can have a more focused discussion on a technical topic if necessary.

Typically, I do a kickoff- and closing meeting of ~60-90min each, with work in between stretched over a 1.5-2W calendar time frame so that there is time for feedback.

ROS can be a busy place - I have some other projects that are beginning or ending at the moment, but expect to have time for the kickoff meeting and some initial work next week.

We're here to give you developer-level internal feedback on your project. There will be a short summary report, but this is not the focus of the evaluation and mainly meant for internal use (unless discussed otherwise).

Overall, there are 2 person days of pentester worktime for this project, which includes communication and documentation, so I will be mainly looking at "low-hanging fruit" like dangerous code use, vulnerable dependencies and so on. Feel free to point out design aspects or code positions in the code that you think are particularly important for the evaluation."

I think that it sounds reasonable and useful.

Please, if you did not receive an invitation to the chat and want to be a part of the audit, let me know. If you received an invitation, please, register.

Do we have any design aspects or code that is particularly important for the evaluation?

I see some topics that might be important:

1. Code injection by the NSCL library. But AFAIK the NSCL is also a NLNet project so it will have a separate review. If this is so, we can also merge the two audits. Giorgio, what do you think?

2. Evasion of the wrappers and/or FPD. I am unsure if we can get a reasonable feedback for this since this is highly specialized topic.

3. Detection of the extension. We already know that there are multiple ways of detecting the extension like https://github.com/polcak/jsrestrictor/issues/166, observing timestamps (e.g. Date.now()) in a loop, diploma thesis https://www.fit.vut.cz/study/thesis-file/23972/23972.pdf (page 46 and 47, but most anomalies and inconsistences should be resolved by now, it is in Czech but the table should be readable even without translation), and there are likely others.

4. Do we want to evaluate the web? Neither Ricardo, nor Ana is listed in the review, so if you want to be a part of the process, please, let me know.

Thanks,

Libor





reply via email to

[Prev in Thread] Current Thread [Next in Thread]