Security Audit of WINS form on static site

[roslynwythe]

Overview

As developers we must perform a security audit of the new HTML/JS implementation of the WINS form, in order to determine if use of the form exposes any secrets or exposes any resources to malicious actions.

Details

• The form https://github.com/hackforla/website/blob/gh-pages/pages/wins/wins-share-form.html was developed as a result of Create a wins form. #1060 (PR Wins works #1132).
• Further work was performed in Adjust and standardize "Share Your Wins" form page #2021 and Change Wins form to our internal "Share Your Wins" form #2246. Both issues are still open.

Action Items

• Write a Decision Record (DR) documenting the findings. If the wiki is not ready for editing, follow instructions in How to Contribute to the Wiki for drafting the content in a comment in this issue, and then posting a link to the comment in the "How to Contribute to the Wiki" page.

Resources

• This issue was created from ER ER: Audit of custom site Wins form and feasibility of using Google Analytics Tags with it #4390

[roslynwythe]

@ExperimentsInHonesty I mentioned at our last meeting, that I think there is a security problem with the method used by the custom form; in particular, the form exposes a the URL of an HTTP endpoint which malicious actors could use to populate the response sheet with corrupt data. But I wonder if we should move forward with this issue anyway, so that we have another opinion that is formally documented in a DR. In the issue I mentioned that if the Wiki is not ready for editing, the dev should follow Jessica's interim instructions in "How to Contribute to the Wiki" for posting a comment here in the issue and then simply copying a link to the comment into the list Jessica created.

[JessicaLucindaCheng]

@roslynwythe As per the discussion in the 2023-05-08 Dev/PM meeting, change this issue to just write the decision record and you can go ahead and write the decision record in a comment below in this issue.

[roslynwythe]

@JessicaLucindaCheng ok thanks. I've updated the issue

Availability: 5/9 9 - midnight, 5/10 10-4 pm
ETA: EOD 5/12

[roslynwythe]

DR: Adopt the internal "Share your Wins" form in place of the current Google Form

This is a record in the Decision Records on Solutions Not Implemented.

Issue

• Security Audit of WINS form on static site #4588

Problem Statement

Drawbacks of the current Google Form include:

• lack of integration with the website
• need to update the form manually with project list changes.
• user input validation limited to Google Forms methods

Potential Solution

A new "share your Wins" form has been developed which stores response data by sending an HTTP GET request to a web app which is bound to a Google Sheet. The request does not require credentials or API key, however the web app endpoint URL is exposed and could be targeted by malicious actors. At this time, Google does not provide a means for web apps to whitelist or examine the IP address of incoming requests, in order to protect against use by unauthorized clients.

Feasibility Determination

Adoption of the new form solution is not feasible, because the web app URL is exposed, and currently Google does not provide a means to whitelist specific IP addresses.

[roslynwythe]

Update:

• The draft DR can be found in the above comment
• Added link to the draft DR, into https://github.com/hackforla/website/wiki/How-to-Contribute-to-the-Wiki
• The conclusion of the DR is that the form is not secure and therefore not feasible. If this conclusion is accepted, the next steps would be to
  • close ER: Audit of custom site Wins form and feasibility of using Google Analytics Tags with it #4390
  • close Change Wins form to our internal "Share Your Wins" form #2246
  • close Adjust and standardize "Share Your Wins" form page #2021
  • close ER from TLDL: Think about converting Wins Google Form to a custom form #4387
• Moving the issue to Questions/In Review