-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider message integrity in threat model #1236
Comments
@mikesamuel I think this is out of scope unless you have some specific things Deno could implement to prevent these things. Do you wan't XSS sanitization on outgoing HTML? How would that work? Wouldn't this limit what people can do? Also Deno does not ship with database drivers, so database query sanitization should be left to userland IMO. |
Good questions, all.
No.
There are four components:
Third-party libraries' security assumptions do not always perfectly match application teams'.
In this scheme all the sanitization should be left to userland. What is hard to leave to userland is
|
This seems a broad topic and unrelated to specific APIs in Deno. This really needs a more specific proposal and a plan to implement to be actionable. |
Security Model focuses on protecting the host machine from the deno process.
It would be nice if the security model also addressed how to ensure the integrity of messages that leave the system including:
execve
since Shell injection is a common problem.(This isn't an exhaustive list, but if deno runtimes are often glue between user agents, other service nodes, and storage systems, then consistently using tools to prevent these common cases might make it easier to handle the next most common message integrity related vuln.)
I've been implementing easy-to-use secure-by-construction message producers for the above for Node, along with type-safety checks where messages leave the systems that allow a security team to bound the amount of code that might participate in a vulnerability.
At the end of the day, I want an application team to be able to say
If there's interest, I can send a PR to add message integrity goals to the deno security roadmap.
For more background, I've integrated a bunch of techniques into a Node target app that I'm opening up for attack review shortly.
</shameless-plug>
Issue #378 (re ocaps) might have some overlap with the ideas I'm testing since the authority to create values that encapsulate authority is denied by denying access to minters, but I believe they're separable issues.
Some of the work I reference above also bears on issue #200 (re resource integrity). Allowing trusted code to intercept module loads gives a place to stand to check resource integrity.
The text was updated successfully, but these errors were encountered: