Consider security and possible forms of misuse of octomode #2

New Issue

mb · 2022-02-17T13:46:35+01:00

mb commented

2022-02-17 13:46:35 +01:00

I will dive into this thread around the Televex project as a start: varia/televex#1

And next to that check Crunk's work on distribusi-verse to see how sanitizing has been done in Flask: https://git.vvvvvvaria.org/crunk/distribusi-verse

I will dive into this thread around the Televex project as a start: https://git.vvvvvvaria.org/varia/televex/issues/1 And next to that check Crunk's work on distribusi-verse to see how sanitizing has been done in Flask: https://git.vvvvvvaria.org/crunk/distribusi-verse

mb commented

2022-02-17 16:33:57 +01:00

Small research: XSS attacks is something to be careful with https://en.wikipedia.org/wiki/Cross-site_scripting.

About sanitizing Markdown in combination with Mozilla's HTML Bleach python library: https://github.com/Python-Markdown/markdown/issues/392

Bleach, by Mozilla: https://github.com/mozilla/bleach

What is a good CSS sanitizer? Crunk:

Ik zat te kijken naar tinycss of bleach
Ja, maar volgens mij kan je bleach dus ook voor css gebruiken
Je wil vooral niet de browser van iemand anders, css als het of Javascript laten werken

On top of sanitizing the Markdown and CSS, would it be needed to add something like Talisman to configure Content Security Policy settings and things like that?

Small research: XSS attacks is something to be careful with https://en.wikipedia.org/wiki/Cross-site_scripting. About sanitizing Markdown in combination with Mozilla's HTML Bleach python library: https://github.com/Python-Markdown/markdown/issues/392 Bleach, by Mozilla: https://github.com/mozilla/bleach What is a good CSS sanitizer? Crunk: > Ik zat te kijken naar tinycss of bleach > Ja, maar volgens mij kan je bleach dus ook voor css gebruiken > Je wil vooral niet de browser van iemand anders, css als het of Javascript laten werken On top of sanitizing the Markdown and CSS, would it be needed to add something like [Talisman](https://github.com/GoogleCloudPlatform/flask-talisman#content-security-policy) to configure Content Security Policy settings and things like that?

crunk commented

2022-02-18 10:16:55 +01:00

Both the https://git.vvvvvvaria.org/crunk/distribusi-verse and https://git.vvvvvvaria.org/varia/varia-library-website also have CSRF protection.

More on that here: https://owasp.org/www-community/attacks/csrf

This is mostly when working with flask-wtf and wtforms.

Both the https://git.vvvvvvaria.org/crunk/distribusi-verse and https://git.vvvvvvaria.org/varia/varia-library-website also have CSRF protection. More on that here: https://owasp.org/www-community/attacks/csrf This is mostly when working with flask-wtf and wtforms.

mb commented

2022-02-22 10:20:36 +01:00

Logging the following from the infra chat:

I wouldn't worry about someone writing to the pads, since this anyway can always happen if someone knows the pad name
What I am more worried about if a tool can be used to read and write to the server and for example execute arbitrary files
If you for example make a system user with who can not launch a shell who executes this software, things are already much safer
One of the things you can and should do with flask is use their inbuilt methods to serialize and deserialize things like html so that nothing funny can happen there

Here is a thing I bookmarked yesterday with a nice exploit of the kind of stuff I would worry about; https://kaizoku.dev/htb-devoops#heading-gaining-foothold-user-shell

Logging the following from the infra chat: > I wouldn't worry about someone writing to the pads, since this anyway can always happen if someone knows the pad name > What I am more worried about if a tool can be used to read and write to the server and for example execute arbitrary files > If you for example make a system user with who can not launch a shell who executes this software, things are already much safer > One of the things you can and should do with flask is use their inbuilt methods to serialize and deserialize things like html so that nothing funny can happen there > Here is a thing I bookmarked yesterday with a nice exploit of the kind of stuff I would worry about; https://kaizoku.dev/htb-devoops#heading-gaining-foothold-user-shell

rra commented

2022-02-23 09:44:12 +01:00

It should probably also be run as a limited permissions user with a strictly defined set of folders etc that it can read/write to.

mb commented

2022-03-10 13:06:07 +01:00

Would you do that with a chroot? I got confused reading that this involves ssh, and a system user does not use ssh to interact with the server, right?

Would you do that with a `chroot`? I got confused reading that this involves `ssh`, and a system user does not use `ssh` to interact with the server, right?

crunk commented

2022-03-19 19:50:35 +01:00

d5369bc142, I succesfully used bleach in distribusi-verse

https://git.vvvvvvaria.org/crunk/distribusi-verse/commit/d5369bc1420055613a1b49d981c14be2c138b78c, I succesfully used bleach in distribusi-verse

decentral1se commented

2022-04-08 16:48:06 +02:00

Would you do that with a chroot?

Using a chroot is complicated unfortunately... I like the suggestion in varia/octomode#2 (comment)

If you for example make a system user with who can not launch a shell who executes this software, things are already much safer

So you just do a nologin system user which has no root permissions.

> Would you do that with a chroot? Using a `chroot` is complicated unfortunately... I like the suggestion in https://git.vvvvvvaria.org/varia/octomode/issues/2#issuecomment-725 > If you for example make a system user with who can not launch a shell who executes this software, things are already much safer So you just do a `nologin` system user which has no root permissions.

Sign in to join this conversation.

No Label

No Milestone

No project

No Assignees

4 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: CC/octomode#2