Security/Reviews/Gaia/InterAppCommunicationAPI: Difference between revisions

Line 98: Line 98:
  106        "minimumAccessLevel": "certified"
  106        "minimumAccessLevel": "certified"
  107      }
  107      }
== Review Notes==
=== Gaia ===
==== XSS & HTML Injection Attacks ====
User controlled values are pretty much limited to filename. The filename is displayed in the notifications pull-down as well as the Settings Downloads list. [https://bugzilla.mozilla.org/show_bug.cgi?id=960749 960749] prevented us from being able to completely check for HTML injections. (See Future Work below)
Based on source code inspection, there are no dangerous coding practices (like misuse of innerHTML) that will result in HTML/JS injections.
Characters ',",>, \, & and < were tested in filenames. We could not directly test > or < because the filesystem disallowed those characters in filenames, however we did use App Manager to break into the JS and insert those characters to see if filenames were rendered safely in the Notifications pull down as well as the Settings->Downloads menu.
==== Secure Communications ====
Not relevant.
==== Secure Data Storage ====
Downloads are stored on the SDcard, which is appropriate for user content.
==== Denial of Service ====
See [https://bugzilla.mozilla.org/show_bug.cgi?id=960739 960739]
==== Interfaces with other Apps/Content====
===== gaia/apps/system/js/download/download_notification.js =====
Used to launch Settings->Download list
  183        var activity = new MozActivity({
  184          name: 'configure',
  185          data: {
  186            target: 'device',
  187            section: 'downloads'
  188          }
  189        });
===== gaia/gaia/shared/js/download/download_helper.js =====
Used to open file after download
  176    var activity = new MozActivity({
  177      name: 'open',
  178      data: {
  179        url: download.path,
  180        type: contentType,
  181        blob: blob
  182      }
=== Gecko ===
==== 1. Content/Chrome Segregation ====
DownloadsAPI is implemented using WebIDL. There was a lot of discussion around what to expose in the case when a page does not have the permission present - see [https://bugzilla.mozilla.org/show_bug.cgi?id=957592 bug 957592] for details.
==== 2. Process Segregation ====
Inter-process communication is performed through DownloadsIPC.jsm & DownloadsAPI.jsm. We are mainly interested in the message which the parent listens for:
* Downloads:GetList
* Downloads:ClearAllDone
* Downloads:Remove
* Downloads:Pause
* Downloads:Resume
Permissions are checked in the parent before processing any messages, using the standard approach:
  144  receiveMessage: function(aMessage) {
  145    if (!aMessage.target.assertPermission("downloads")) {
  146      debug("No 'downloads' permission!");
  147      return;
  148    }
One issue was identified in the way the message was processed however - see bug [https://bugzilla.mozilla.org/show_bug.cgi?id=966141 966141] for details.
==== 3. Data validation & Sanitization ====
The API accepts only minimal data from content, and as such the attack surface is very small, and no issues were found.
====4. Denial of Service ====
[https://bugzilla.mozilla.org/show_bug.cgi?id=960739 960739] was identified as a potential DoS scenario.


== Concerns ==
== Concerns ==
Confirmed users
353

edits