Security/Kuma2
From MozillaWiki
< Security
Please use "Edit with form" above to edit this page.
Item Reviewed
Kuma 2.0 | |
Target |
|
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- There aren't just one or two new features: The effort is rebuilding the entire MDN content management platform almost from scratch, in order to replace the MindTouch product we've been using.
- Question: Does the project team (Les & Luke) need to first build up an inventory of discrete features and review them in turn?
- Some new and reworked features include the following (this is not a complete list)
- Raw HTML content editing, with CKeditor for WYSIWYG and Bleach white-lists for markup sanitation
- Macros powered by server-side JavaScript, written by trusted wiki editors, the output of which is also sanitized with Bleach. (ie. KumaScript)
- File uploads for page attachments
- L10n in page content
- Content migration from MindTouch to Kuma
What solutions/approaches were considered other than the proposed solution?
- Existing solution is MindTouch (reason for migration to django)
- very shaky PHP & Mono on Linux
- lots of security holes including a bunch that we find ourselves (https://bugzilla.mozilla.org/buglist.cgi?list_id=2969700;status_whiteboard_type=allwordssubstr;product=Mozilla%20Developer%20Network;status_whiteboard=[ws%3Ahigh];query_format=advanced)
Why was this solution chosen?
- inherits standard django code that powers support.mozilla.org so we can leverage Webdev efforts
- django platform more widespread than
Any security threats already considered in the design and why?
- using bleach for html sanitzation
- upload file scanning
Threat Brainstorming
- Some of the new features could have technical security issues:
- Raw HTML Editing
- Server-side JS
- File uploads
- Code samples in wiki
- While these features are for trusted editors etc, they may be subject to CSRF, authorization bypass, etc flaws, and/or have security issues which could affect the underlying system.
- Property "SecReview feature goal" (as page type) with input value "* There aren't just one or two new features: The effort is rebuilding the entire MDN content management platform almost from scratch, in order to replace the MindTouch product we've been using.
- Question: Does the project team (Les & Luke) need to first build up an inventory of discrete features and review them in turn?
- Some new and reworked features include the following (this is not a complete list)
- Raw HTML content editing, with CKeditor for WYSIWYG and Bleach white-lists for markup sanitation
- Macros powered by server-side JavaScript, written by trusted wiki editors, the output of which is also sanitized with Bleach. (ie. KumaScript)
- File uploads for page attachments
- L10n in page content
- Content migration from MindTouch to Kuma" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview alt solutions" (as page type) with input value "* Existing solution is MindTouch (reason for migration to django)
- very shaky PHP & Mono on Linux
- lots of security holes including a bunch that we find ourselves (https://bugzilla.mozilla.org/buglist.cgi?list_id=2969700;status_whiteboard_type=allwordssubstr;product=Mozilla%20Developer%20Network;status_whiteboard=[ws%3Ahigh];query_format=advanced)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview solution chosen" (as page type) with input value "* inherits standard django code that powers support.mozilla.org so we can leverage Webdev efforts
- django platform more widespread than" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threats considered" (as page type) with input value "* using bleach for html sanitzation
- upload file scanning" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threat brainstorming" (as page type) with input value "* Some of the new features could have technical security issues:
- Raw HTML Editing
- Server-side JS
- File uploads
- Code samples in wiki
- While these features are for trusted editors etc, they may be subject to CSRF, authorization bypass, etc flaws, and/or have security issues which could affect the underlying system." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Action Items
Action Item Status | In Progress |
Release Target | ` |
Action Items | |
* Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug)
|
Required Reading List: