Re: Security audit

[Michael McMahon]

Hi, Libor!

Can I get an invite to the meetings?

I do not think we need to run the website through the security review.  
The security of the webserver is dependent on the security of the forge 
and the commit access of contributors.  If the repo is compromised, then 
the web server might run code that it should not or display content that 
it should not.  This would be separate security concerns from the 
webextension.  It would be best to use our two pentesting days on the 
extension itself rather than digging into Python and Pelican dependencies.

Best,
Michael McMahon | Web Developer, Free Software Foundation
GPG Key: 4337 2794 C8AD D5CA 8FCF  FA6C D037 59DA B600 E3C0
https://fsf.org

US government employee? Use CFC charity code 63210 to support us through the
Combined Federal Campaign. https://cfcgiving.opm.gov/

On 1/27/22 2:44 AM, Libor Polčák wrote:
> Hello all,
>
> We should have our NLNet sponsored security audit soon. So far I 
> learned (copied from chat with the auditor):
>
> "First some organizational topics: as you've noticed, we're working a 
> lot with interactive chats here in our Rocketchat instance. Your 
> accounts will also give access to the corresponding internal Gitlab 
> project. I will be using the issue tracker to document topics during 
> the evaluation. Feel free to comment on issues I create, that way we 
> can have a more focused discussion on a technical topic if necessary.
>
> Typically, I do a kickoff- and closing meeting of ~60-90min each, with 
> work in between stretched over a 1.5-2W calendar time frame so that 
> there is time for feedback.
>
> ROS can be a busy place - I have some other projects that are 
> beginning or ending at the moment, but expect to have time for the 
> kickoff meeting and some initial work next week.
>
> We're here to give you developer-level internal feedback on your 
> project. There will be a short summary report, but this is not the 
> focus of the evaluation and mainly meant for internal use (unless 
> discussed otherwise).
>
> Overall, there are 2 person days of pentester worktime for this 
> project, which includes communication and documentation, so I will be 
> mainly looking at "low-hanging fruit" like dangerous code use, 
> vulnerable dependencies and so on. Feel free to point out design 
> aspects or code positions in the code that you think are particularly 
> important for the evaluation."
>
> I think that it sounds reasonable and useful.
>
> Please, if you did not receive an invitation to the chat and want to 
> be a part of the audit, let me know. If you received an invitation, 
> please, register.
>
> Do we have any design aspects or code that is particularly important 
> for the evaluation?
>
> I see some topics that might be important:
>
> 1. Code injection by the NSCL library. But AFAIK the NSCL is also a 
> NLNet project so it will have a separate review. If this is so, we can 
> also merge the two audits. Giorgio, what do you think?
>
> 2. Evasion of the wrappers and/or FPD. I am unsure if we can get a 
> reasonable feedback for this since this is highly specialized topic.
>
> 3. Detection of the extension. We already know that there are multiple 
> ways of detecting the extension like 
> https://github.com/polcak/jsrestrictor/issues/166, observing 
> timestamps (e.g. Date.now()) in a loop, diploma thesis 
> https://www.fit.vut.cz/study/thesis-file/23972/23972.pdf (page 46 and 
> 47, but most anomalies and inconsistences should be resolved by now, 
> it is in Czech but the table should be readable even without 
> translation), and there are likely others.
>
> 4. Do we want to evaluate the web? Neither Ricardo, nor Ana is listed 
> in the review, so if you want to be a part of the process, please, let 
> me know.
>
> Thanks,
>
> Libor