remi icon indicating copy to clipboard operation
remi copied to clipboard

Published 20 hours ago verified publisher icon rawpython

security and remi on production server

Open Wouter1 opened this issue 3 years ago • 8 comments

I read on the main page the quote below. This is a deal breaker, because writing a web application is, in the end, to put on the web...

Is it possible to make this more secure? Or, what the tips like "not expose its access" or "when loading data from external sources" actually implies? How would I even know what Remi accesses internally regarding external sources?

May I suggest giving examples on how to actually do this?

Remi should be intended as a standard desktop GUI framework. The library itself doesn't implement security strategies, and so it is advised to not expose its access to unsafe public networks.

When loading data from external sources, consider protecting the application from potential javascript injection before displaying the content directly."

Wouter1 avatar Dec 13 '21 12:12 Wouter1

Not sure if it helps, but I got a message from the security team indicating that a Nessus scan showed issues with the Remi application. My aplication itself is a very simple page with a few buttons and combo boxes only.. Hard to imagine at this level what a Nessus securtiy error even means.

Wouter1 avatar Dec 13 '21 12:12 Wouter1

I may be wrong, but my belief is that this project aims to provide a way to make apps to control or monitor things in a controlled environment. Kind of a development or debugging interface. Not a real website for the world to visit. I think of an intranet configuration interface or a robot management interface.

I haven't followed the changes on the codebase for a while, however, my understanding is that the interface is created by injecting JavaScript (which makes the system really flexible to do anything you want). Which may need a fair amount of sanity checking to avoid the possibility of misuse.

If you plan to do web development, this is not really for web development, I see it more of a Qt/Tinker library that can run on the browser and has a quite simple API.

On Mon, Dec 13, 2021, 23:56 Wouter1 @.***> wrote:

Not sure if it helps, but I got a message from the security team indicating that a Nessus scan showed issues with the Remi application. My aplication itself is a very simple page with a few buttons and combo boxes only.. Hard to imagine at this level what a Nessus securtiy error even means.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dddomodossola/remi/issues/476#issuecomment-992449966, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANEK5AFN2DUVEEGO755GE3UQXUPTANCNFSM5J6B4LIQ .

awesomebytes avatar Dec 14 '21 07:12 awesomebytes

@awesomebytes
For me the idea is that you can make an application that runs both standalone (=secure, special users, and for testing) and can be deployed (for general use/demos/SAS etc).

I don't want to do "web development". I'm writing a simple app, not a web system. That's why this tool seemed so useful. It takes away all that "web development" stuff (servers, browsers, server/client side stuff, etc etc) that I don't care about for this project.

Wouter1 avatar Dec 14 '21 08:12 Wouter1

You are both right my friends. Remi is not intended to make websites. It is made for local or intranet interfaces. So, it is safe to use it in a safe network. To use it remotely consider using a VPN, a proxy and so on to obfuscate and protect the server.

dddomodossola avatar Dec 19 '21 23:12 dddomodossola

@dddomodossola thanks.

Can you clarify a bit further? I'm primarily cncerned with security on the server side. I have this simple app with a few buttons and text input fields. The text is processed on the server, in python, to extract some features. If we would use a VPN or proxy as you suggest, would it really be secure or just that it looks superficially to be more safe? So, would the inherently unsafe calls still be possible? If the VPN or proxy alleviates this, would we need specific settings or filters somewhere? What configuration are you thinking of?

Wouter1 avatar Dec 20 '21 11:12 Wouter1

@Wouter1 using a VPN you makes the application accessible only by trusted clients, so the security is implicit. Nonetheless, you can limit the application to be accessible only on local machine, by configuring a server address as 127.0.0.1 .

dddomodossola avatar Dec 22 '21 10:12 dddomodossola

@dddomodossola It seems there is a misunderstanding. By "putting it on the web" I do mean public. And certainly not localhost.

So there is no "trusted client" at all.

Wouter1 avatar Dec 22 '21 10:12 Wouter1

@Wouter1 ok I understand, but remi is not intended to be used this way. I'm afraid, you need a website in this case.

dddomodossola avatar Dec 22 '21 11:12 dddomodossola