Confirmed users
239
edits
Security/Reviews/Gaia/clock: Difference between revisions
Jump to navigation
Jump to search
simple app is simple
Ptheriault (talk | contribs) (Created page with "=== App Review Details === * App: * Review Date: * Review Lead: === Overview === ===Architecture=== ====Components==== ====Relevant Source Code==== ====Permissions==...") |
(simple app is simple) |
||
| Line 1: | Line 1: | ||
=== App Review Details === | === App Review Details === | ||
* App: | * App: clock | ||
* Review Date: | * Review Date: 2013-03-08 | ||
* Review Lead: | * Review Lead: Frederik Braun (:freddyb) | ||
* Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=754737 | |||
=== Overview === | === Overview === | ||
=== | ====Components==== | ||
Menu to view current time, date and currently set alarms. | |||
Interaction via add-alarm button or change-alarm on an existing alarm. | |||
Events set to trigger an alarm. | |||
====Relevant Source Code==== | |||
Source code available on GitHub: https://github.com/mozilla-b2g/gaia/tree/master/apps/clock | |||
Reviewed all JavaScript code in js/ | |||
====Permissions==== | |||
The app has full read/write permissions to the Settings in order to add and remove alarms. | |||
It also stores whether the clock is shown as a digital or an analog clock. | |||
== | It might be desirable to have more granular settings capabilities in general, <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=841071">bug 841071</a> | ||
====Web Activity Handlers ==== | ====Web Activity Handlers ==== | ||
None | |||
====Web Activity Usage ==== | ====Web Activity Usage ==== | ||
None | |||
==== Notable Event Handlers ==== | ==== Notable Event Handlers ==== | ||
None | |||
===Code Review Notes=== | ===Code Review Notes=== | ||
====1. XSS & HTML Injection attacks==== | ====1. XSS & HTML Injection attacks==== | ||
The name of an alarm is escaped using a temporary span element and then setting and extracting it's textContent. | |||
No other text input is being handled. | |||
====2. Secure Communications ==== | ====2. Secure Communications ==== | ||
No communication. | |||
====3. Secure data storage ==== | ====3. Secure data storage ==== | ||
No storage of sensible data. | |||
====4. Denial of Service ==== | ====4. Denial of Service ==== | ||
====5. Use of Privileged APIs ==== | ====5. Use of Privileged APIs ==== | ||
Settings | |||
====6. Interfaces with other Apps/Content==== | ====6. Interfaces with other Apps/Content==== | ||
None | |||
=== Security Risks & Mitigating Controls === | |||
=== Actions & Recommendations === | === Actions & Recommendations === | ||