Confirmed users
353
edits
Security/Reviews/Gaia/InterAppCommunicationAPI: Difference between revisions
Security/Reviews/Gaia/InterAppCommunicationAPI (view source)
Revision as of 21:13, 31 January 2014
, 31 January 2014→Concerns
(→Gecko) |
|||
| Line 98: | Line 98: | ||
106 "minimumAccessLevel": "certified" | 106 "minimumAccessLevel": "certified" | ||
107 } | 107 } | ||
== Review Notes== | |||
=== Gaia === | |||
==== XSS & HTML Injection Attacks ==== | |||
User controlled values are pretty much limited to filename. The filename is displayed in the notifications pull-down as well as the Settings Downloads list. [https://bugzilla.mozilla.org/show_bug.cgi?id=960749 960749] prevented us from being able to completely check for HTML injections. (See Future Work below) | |||
Based on source code inspection, there are no dangerous coding practices (like misuse of innerHTML) that will result in HTML/JS injections. | |||
Characters ',",>, \, & and < were tested in filenames. We could not directly test > or < because the filesystem disallowed those characters in filenames, however we did use App Manager to break into the JS and insert those characters to see if filenames were rendered safely in the Notifications pull down as well as the Settings->Downloads menu. | |||
==== Secure Communications ==== | |||
Not relevant. | |||
==== Secure Data Storage ==== | |||
Downloads are stored on the SDcard, which is appropriate for user content. | |||
==== Denial of Service ==== | |||
See [https://bugzilla.mozilla.org/show_bug.cgi?id=960739 960739] | |||
==== Interfaces with other Apps/Content==== | |||
===== gaia/apps/system/js/download/download_notification.js ===== | |||
Used to launch Settings->Download list | |||
183 var activity = new MozActivity({ | |||
184 name: 'configure', | |||
185 data: { | |||
186 target: 'device', | |||
187 section: 'downloads' | |||
188 } | |||
189 }); | |||
===== gaia/gaia/shared/js/download/download_helper.js ===== | |||
Used to open file after download | |||
176 var activity = new MozActivity({ | |||
177 name: 'open', | |||
178 data: { | |||
179 url: download.path, | |||
180 type: contentType, | |||
181 blob: blob | |||
182 } | |||
=== Gecko === | |||
==== 1. Content/Chrome Segregation ==== | |||
DownloadsAPI is implemented using WebIDL. There was a lot of discussion around what to expose in the case when a page does not have the permission present - see [https://bugzilla.mozilla.org/show_bug.cgi?id=957592 bug 957592] for details. | |||
==== 2. Process Segregation ==== | |||
Inter-process communication is performed through DownloadsIPC.jsm & DownloadsAPI.jsm. We are mainly interested in the message which the parent listens for: | |||
* Downloads:GetList | |||
* Downloads:ClearAllDone | |||
* Downloads:Remove | |||
* Downloads:Pause | |||
* Downloads:Resume | |||
Permissions are checked in the parent before processing any messages, using the standard approach: | |||
144 receiveMessage: function(aMessage) { | |||
145 if (!aMessage.target.assertPermission("downloads")) { | |||
146 debug("No 'downloads' permission!"); | |||
147 return; | |||
148 } | |||
One issue was identified in the way the message was processed however - see bug [https://bugzilla.mozilla.org/show_bug.cgi?id=966141 966141] for details. | |||
==== 3. Data validation & Sanitization ==== | |||
The API accepts only minimal data from content, and as such the attack surface is very small, and no issues were found. | |||
====4. Denial of Service ==== | |||
[https://bugzilla.mozilla.org/show_bug.cgi?id=960739 960739] was identified as a potential DoS scenario. | |||
== Concerns == | == Concerns == | ||