solid-panes icon indicating copy to clipboard operation
solid-panes copied to clipboard

Published 20 hours ago verified publisher icon SolidOS

Security Policy

Open Otto-AA opened this issue 2 years ago • 15 comments

What is the security policy for this repository? I could not find any info in the README and the Security github section.

In particular, where should I report security vulnerabilities?

Otto-AA avatar Jun 05 '22 21:06 Otto-AA

@Otto-AA sorry for coming back to you so late. Feel free to report any issues in this ticket.

timea-solid avatar Sep 01 '22 07:09 timea-solid

I don't remember where exactly it was in the code, if you need it I can try to dig it up.

Essentially, the markdown renderer is vulnerable to XSS. When viewing a markdown file, arbitrary scripts from this file can be executed. As an example, go to https://sheep.solidcommunity.net/public/ and click on the xss.md file, which will call print() as a XSS demonstration.

As a solution, it is likely enough to go to the documentation of the markdown renderer and follow the security best practices there (again, I forgot which one it is, but they must have a section about filtering scripts for XSS).

Otto-AA avatar Sep 01 '22 13:09 Otto-AA

@Otto-AA thanks! This already pins it down pretty good. :)

timea-solid avatar Sep 01 '22 16:09 timea-solid

Also as a general note: restrain from using .innerHtml = ... if not necessary. I've seen it in a number of places, where only text is assigned, not HTML (not sure which one is good, but e.g. .innerText or innerContent should work iirc). This makes it less likely to have XSS

Otto-AA avatar Sep 01 '22 17:09 Otto-AA

@Otto-AA I think it is clear from your findings we do not have much know-how about security concerns in the code 😓 We could really use some help, even with this simple .innerHtml removal tasks. Would you be interested to join us, take a look? We can also organise a security knowledge transfer so we know what to avoid and fix. The SolidOs team meets every week on Wednesday 6pm CET more details and you can always come say hi at our gitter chat. We'd like to learn more on security topics and to get to know you.

timea-solid avatar Sep 02 '22 07:09 timea-solid

SoliOS is using https://github.com/markedjs/marked. They recommend to sanitize using https://github.com/cure53/DOMPurify

bourgeoa avatar Sep 02 '22 19:09 bourgeoa

We should split off the script injection problem from this general "What is your Security Policy" issue.

timbl avatar Jan 23 '23 14:01 timbl

I've moved the XSS vulnerability to another issue, so this one can focus on the security policy

Otto-AA avatar Feb 09 '23 14:02 Otto-AA

@timea-solid I've created a document with basic security recommendations here: https://github.com/Otto-AA/solid-security-basics

If you think it is helpful for you all, I could also join the meeting and talk about this (though I don't know if it would be much more than going through the document). I would have to join late though, as I'm usually not available on Wednesdays before 18:00.

Otto-AA avatar Apr 13 '23 16:04 Otto-AA

@Otto-AA Thank you so so so much! I had this on the back of my mind. I recently learned how to do one myself. So getting us started is so much appreciated. I would enjoy virtually meeting you but there is no need for you to fight with your schedule. But, please, do join some times :)

And wow may I just say you went above and beyond there: https://github.com/Otto-AA/solid-security-basics

timea-solid avatar Apr 13 '23 17:04 timea-solid

@Otto-AA @bourgeoa what do you think about this proposal: https://github.com/SolidOS/solid-panes/pull/376 @Otto-AA I named you as one of our security champions. Please let me know if this is not comfortable for you.

Context: each and every single repo in SolidOS should have such a policy -> if we settle the working on one, we can than copy it in each repo.

timea-solid avatar Apr 13 '23 19:04 timea-solid

I would enjoy virtually meeting you but there is no need for you to fight with your schedule. But, please, do join some times :)

Yes, for the next weeks/months I'm only available after 18:00. So I could only join late, or maybe in June/July I'll also have time at 17:30. Let's see :)

And wow may I just say you went above and beyond there: https://github.com/Otto-AA/solid-security-basics

Thanks, I hope it's able to give some useful input!

@Otto-AA I named you as one of our security champions. Please let me know if this is not comfortable for you.

Not necessary, but why not :shrug:

And thank you for the enthusiasm, always refreshing to see!

Otto-AA avatar Apr 13 '23 21:04 Otto-AA

@Otto-AA our meetings have been pushed by 1/2 hour. From now on they begin at 16h00 UTC that is 18h00 Paris time.

bourgeoa avatar Apr 14 '23 09:04 bourgeoa

Weren't we able to sanitize the users input? I didn't know if this issue was fixed or not.

chunt007 avatar Jan 10 '24 00:01 chunt007

Weren't we able to sanitize the users input? I didn't know if this issue was fixed or not.

The markdown XSS has moved to a separate issue and has been fixed: https://github.com/SolidOS/solid-panes/issues/369

Otto-AA avatar Jan 10 '24 17:01 Otto-AA