Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security hardening #41

Open
carlosame opened this issue Apr 2, 2022 · 4 comments
Open

Security hardening #41

carlosame opened this issue Apr 2, 2022 · 4 comments
Labels
security Security and privacy

Comments

@carlosame
Copy link
Member

carlosame commented Apr 2, 2022
edited
Loading

The security and privacy aspects of this project could be improved in several fronts:

  1. Enable optional resource limits intended for the processing of untrusted documents.

  2. Identify potentially insecure parts of a document, for example resource-intensive selectors or privacy-challenging attribute selectors. This could be achieved while processing the SVG or through external tools (like an improved version of AntiSamy).

  3. Migrate to a different security model. The security model currently used by this project is problematic and I'd like to switch to a model closer to CSS4J's model. Done by commit e92d319.

  4. Create a SECURITY.md file with security and privacy considerations. Done by e92d319.
@carlosame carlosame added the security Security and privacy label Apr 2, 2022
@carlosame carlosame pinned this issue Apr 2, 2022
@carlosame
Copy link
Member Author

The last two points of this issue were done in e92d319 (shipped in version 0.3).

@ghost
Copy link

ghost commented Jun 4, 2023
edited by ghost
Loading

KeenWrite uses SpotBugs and OWASP, which may also prove useful for EchoSVG.

buildscript {
  repositories {
    mavenCentral()
    maven {
      url "https://plugins.gradle.org/m2/"
    }
  }
  dependencies {
    classpath 'org.owasp:dependency-check-gradle:8.2.1'
    classpath "com.github.spotbugs.snom:spotbugs-gradle-plugin:5.0.14"
  }
}

plugins {
  // ...
  id "com.github.spotbugs" version "5.0.14"
}

spotbugs {
  excludeFilter.set(
      file("${projectDir}/bug-filter.xml")
  )
}

apply plugin: 'org.owasp.dependencycheck'

This allows the build to fail for any issues raised by SpotBugs. Tweaking the bug-filter.xml file provides fine-grained control over what issues to ignore.

<?xml version="1.0" encoding="UTF-8"?>
<FindBugsFilter>
  <Match>
    <Or>
      <Bug code="EI, EI2" />
    </Or>
  </Match>

  <Match class="com.keenwrite.preview.HighQualityRenderingHints">
    <Method name="initializeRenderingHints" />
    <Bug code="WMI" />
  </Match>

  <Match class="com.keenwrite.processors.HtmlPreviewProcessor">
    <Method name="&lt;init&gt;" />
    <Bug code="ST" />
  </Match>
</FindBugsFilter>

carlosame added a commit that referenced this issue Jun 5, 2023
@carlosame
Gradle: use OWASP's org.owasp.dependencycheck plugin, run it periodic…
4bb5e4a 
…ally

Follows a suggestion by @DaveJarvis, see #41 (comment)
@carlosame
Copy link
Member Author

Thanks for the suggestion, Dave: I just committed the support for the org.owasp.dependencycheck plugin (although @dependabot already provides much of that functionality). However I don't think that I'll do the same with the SpotBugs plugin because it adds a maintenance burden (even for people that may contribute PRs in the future).

I run SpotBugs from the Eclipse IDE and already fixed a number of the issues found by it, but there are still several non-security issues that SpotBugs is reporting. Given that this project already runs a CodeQL scan for every commit (apart from periodic runs), I don't think that adding a SpotBugs task would be worth the effort.

@carlosame
Copy link
Member Author

I can't close tickets; feel free to close.

This is basically a meta-issue about security, I'm keeping it open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Security and privacy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@carlosame