cordova-plugin-file icon indicating copy to clipboard operation
cordova-plugin-file copied to clipboard

Published 20 hours ago verified publisher icon apache

Question Regarding Restricting FileSystem Access to certain parts of the code

Open matiu opened this issue 6 years ago • 4 comments

Related to the recent event-stream exploit (https://github.com/dominictarr/event-stream/issues/116)

The attacker used the fact window.cordoba.file is global and public access from anywhere in the code, as shown on this part of the injected malicious code:

                if (window.cordova) try {
                    var e = cordova.file.dataDirectory;
                    resolveLocalFileSystemURL(e, function(e) {
                        e.getFile(t, {
                            create: !1
                        }, function(e) {
                            e.file(function(e) {
                                var t = new FileReader;
                                t.onloadend = function() {
                                    return n(JSON.parse(t.result))
                                }, t.onerror = function(e) {
                                    t.abort()
                                }, t.readAsText(e)
                            })
                        })
                    })

we are thinking different ways to prevent no-authorized part of the code to access the file system, but I wonder if there is any existing solution for that or you guys have already thought a possibility of doing so.

thanks, matías

matiu avatar Nov 30 '18 14:11 matiu

Just a quick nitpick: The global object created by this plugin is cordova.file, window.cordova was used to check if the code is running in Cordova context in general.

janpio avatar Nov 30 '18 16:11 janpio

What is the status of this query?

brody4hire avatar Jul 15 '19 22:07 brody4hire

What do you think @brodybits? Someone asked a (justified) question, I responded with some additional information, and then no one else followed up with any additional information. So the status is: 1 question, 1 nitpick, nothing else.

janpio avatar Jul 16 '19 08:07 janpio

The feature you're talking about is essentially what SELinux or AppArmor is for Linux, which developers can set a set of profiles that essentially describes what their app can or cannot access. Ie, if the app has no business touching the file system, the developer can configure a policy that prevents the app from using filesystem APIs... so should there be an exploit through the application, the exploit cannot be used to read or write to the filesystem, thus limiting the attack vector.

Unfortunately JavaScript in general has no concept of this. If an exploit allowed a malicious attack be able to execute arbitrary javascript in a cordova environment, it can find/import a path to the file system APIs (or any other cordova/application api). You can't prevent/filter JS execution from the JS environment.

However I think it might be possible to implement something similar to this as a cordova feature to say "my app will only read/write to these set of files/directories" and restrict the app from accessing any other file. It's be important to understand that this would not protect you from malicious actors accessing files that you would want your app to access, but it could help prevent your app being abused (in an event of a zero-day exploit) to limit the attack vector.

This kind of feature would be a pretty large job, so I don't foresee this happening anytime soon (especially since this was originally asked in 2018....) but this kind of discussion would be more appropriate for the dev mailing list.

breautek avatar Aug 06 '20 09:08 breautek