Skip to content
Permalink
Browse files

BAU: Add some security checks

- Fourth wall shouldn't be used over HTTP.
- Fourth wall shouldn't use an access token which has unnecessary
permissions.
- Add some documentation about security in the readme.

solo @tlwr
  • Loading branch information
tlwr committed Jan 31, 2018
1 parent 167d16c commit aade6fc524d3889a24de3f38cdba63d710295bfe
Showing with 72 additions and 0 deletions.
  1. +23 −0 README.markdown
  2. +1 −0 index.html
  3. +2 −0 index.js
  4. +46 −0 javascript/preflight.js
@@ -102,3 +102,26 @@ An example enterprise repository.
To load repositories from a team on an enterprise instance you must prefix the
hostname to the team url parameter as with the token `<hostname>_team` (or
`<hostname>_team[]` for multiple teams).

## Security

The token used to access Github is visible in the URL bar of the browser used
to view Fourth Wall. This is potentially quite dangerous and you should be very
careful about Github access tokens. There are some pre-flight checks to help
with security but you should, at all times, be vigilant and discliplined.

Required scopes:

- `repo:status`
- `repo:deployment`

Optional scopes:

- `read:org` is required if you are using the `team` query parameter mentioned above.

Any other allowed scopes on the token will cause Fourth Wall to be unusable
(due to an alert) until the token scopes have been fixed. This is a feature not a bug.

Additionally there is a pre-flight check which checks that if Fourth Wall is
being accessed remotely using HTTP. If Fourth Wall is being viewed remotely,
please always use HTTPS.
@@ -15,6 +15,7 @@
<script src="javascript/vendor/underscore-1.5.1.min.js" type="text/javascript"></script>
<script src="javascript/vendor/backbone-1.0.0.min.js" type="text/javascript"></script>
<script src="javascript/core.js" type="text/javascript"></script>
<script src="javascript/preflight.js" type="text/javascript"></script>
<script src="javascript/fetch-repos.js" type="text/javascript"></script>

<script src="javascript/comment.js" type="text/javascript" charset="utf-8"></script>
@@ -1,4 +1,6 @@
$(document).ready(function() {
runPreFlightChecks();

var repos = new FourthWall.Repos();
var items = new FourthWall.ListItems([], {
repos: repos
@@ -0,0 +1,46 @@
function runPreFlightChecks() {
const isHttp = window.location.protocol == 'http:',
isLocalhost = window.location.hostname == 'localhost'
isUnsafe = !(isHttp && isLocalhost);

if (isUnsafe) {
const isHttpMessage = [
'This page is running over the web over HTTP.',
'You should use HTTPS and rotate your access token.',
].join(' ');
alert(isHttpMessage);
}

// We will:
// - Make a request to the github rate limit endpoint
// (This will not affect the rate limit)
// - Check what scopes we have access to
const token = new FourthWall.getQueryVariables().token,
ghUrl = 'https://api.github.com/rate_limit',
authGhUrl = ghUrl + '?access_token=' + token;

fetch(authGhUrl)
.then(function (response) { return response.headers; })
.then(function (headers) { return headers.get('x-oauth-scopes') })
.then(function (scopes) { return scopes.split(', '); })
.then(function (scopes) {
const allowedScopes = ['repo:status', 'repo_deployment', 'read:org'];
let badScopes = scopes.filter(function(scope) {
return allowedScopes.indexOf(scope) < 0;
});

if (badScopes.length > 0) {
let badScopesString = badScopes.join(' '),
badScopesMessage = [
'You have the following unnecessary scopes: <',
badScopesString,
'>; these scopes should be removed.',
'Clicking accept will reload this page.',
'Reloading the page will show this message unless the scopes are correct.',
].join(' ');

alert(badScopesMessage);
window.location.reload(true);
}
});
}

0 comments on commit aade6fc

Please sign in to comment.
You can’t perform that action at this time.