Security/Reviews/Gaia/Calendar: Difference between revisions

Security/Reviews/Gaia/Calendar (view source)

Revision as of 16:08, 30 October 2013

1,603 bytes added , 30 October 2013

Review for 1.2

Arroway

Confirmed users

152

edits

@@ Line 2: / Line 2: @@
 * App: Calendar
-* Original Review Date: 09 Jan 2013
+* Follow-up Review Date: 22 Oct 2013
-* Follow-up Review Date: 25 Feb 2013
+* Latest Commit: https://github.com/mozilla-b2g/gaia/commit/69575e3b40931c1cf2060e812db4b20f81040de5
-* Latest Commit: https://github.com/mozilla-b2g/gaia/commit/96dffe8cdb68205e8475a8bd10f455c5a7ccfaff#diff-c41002e94c03079a97d1e5ff3306f3db
+* Branch Reviewed: master
-* Branch Reviewed: v1-train
+* Review Lead: Stéphanie Ouillon
-* Review Lead: David Chan
-* Review Bug: {{bug|754736}}  [Security Review] B2G Gaia - Calendar
-* Dependency Tree: https://bugzilla.mozilla.org/showdependencytree.cgi?id=754736&hide_resolved=0
-{{Note|Commit data is estimate since it wasn't included in original writeup}}
+Please see page history for details of previous reviews
 === Overview ===
-This is a review of the include Firefox OS calendar app
+The Firefox OS calendar app allows to synchronize to Google, Yahoo and CalDav calendars. You can create new events, set a reminder, choose when to synchronize the data.
+Events can be displayed per Day, Week or Month. You can slide between months.
 ===Architecture===
@@ Line 28: / Line 26: @@
 ====Components====
+index.html - The main UI for the application
+elements - The UI for settings, account forms, etc, included in index.html
+caldav_worker.js
-====Notes====
+js/ - The code for the Calendar core features
-rd party library code in ext/ was not extensively reviewed
+js/ext/ - Third party libraries: caldav.js (XML Parser for CalDav protocol, adapted from from the sax-js library), ical.js (iCalendar format), uuid.js (UUID generation)
 ====Relevant Source Code====
-Source code can be found at https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/calendar
+Source code can be found at https://github.com/mozilla-b2g/gaia/tree/master/apps/calendar
 ====Permissions====
-    "systemXHR":{},
+* "systemXHR":{},
-    "settings":{ "access": "readonly" },
+* "settings":{ "access": "readonly" },
-    "alarms":{},
+* "alarms":{},
-    "desktop-notification":{}
+* "browser":{} - Required to open a window for OAuth authentication
+* "storage":{},
+* "desktop-notification":{}
 ====Web Activity Handlers ====
@@ Line 64: / Line 67: @@
 ==== Post Messages ====
-The worker threads in worker/manager.js worker/thread.js use postMessage for communicating. This communication appears to be internal only. Also calendar.js uses postMessage but only responds to messages from itself.
+The following code files use postMessage for communicating:
+* js/worker/manager.js
+* js/worker/thread.js
+* js/calendar.js
+This communication appears to be internal only. calendar.js uses postMessage but only responds to messages from itself.
 ====Web Activity Usage ====
@@ Line 74: / Line 83: @@
 ===Code Review Notes===
 The calendar doesn't handle any web activities and has limited interaction with other apps. Calendar does extend the alarms API / db for non-phone devices.
 ====1. XSS & HTML Injection attacks====
@@ Line 83: / Line 91: @@
 Manual entry of bad data into the Calendar app and syncing of bad data was performed. Template input is sufficiently escaped by the 'h' function in template.js . This function performs a regex check for HTML characters mathcing the regex /[&<>"'`]/ then escapes single and double-quotes. The corresponding template files in templates/ call either 'h', 's', 'bool' or 'l10n' to convert / escape data before display.
+I've also tried to perform XML injection by exploiting the CalDav XML Parser and/or injecting code in iCal data: strings seem properly escaped, and attempts to perform an XXE failed.
+Basically, the parser falls into a "strictFail()" method each time malformed data are parsed.
 ====2. Secure Communications ====
@@ Line 90: / Line 101: @@
 The Calendar talks to remote servers. There are currently presets for the SSL versions of Google and Yahoo calendars. However a user may specify their own CalDav or Local calendar instance. There is some risk if the user specifies a HTTP endpoint instead of HTTPS. The app does not perform SSL certificate checks, however gecko will error on a certificate error.
+ext/caldav.js and service/caldav.js perform XHR requests to synchronize calendars.
+The options are set in service/caldav.js and transmitted to the caldav ext library:
+var xhrOpts = {
+  /** system is required for cross domain XHR  */
+  mozSystem: true,
+  /** mozAnon is required to avoid system level popups on 401 status */
+  mozAnon: true,
+  /** enables use of mozilla only streaming api's when available */
+  useMozChunkedText: true
+}
 ====3. (Secure) data storage ====
@@ Line 95: / Line 117: @@
 All data is stored in one of a couple IndexedDBs. The code looks okay.
+====4. Denial of Service ====
-====4. Denial of Service ====
+Some DoS attacks may be possible during sync. See Actions & Recommendations section.
 ====5. Use of Privileged APIs ====
@@ Line 105: / Line 128: @@
 === Security Risks & Mitigating Controls ===
+The code from js/ext/caldav.js is adapted from the sax-js parser from https://github.com/isaacs/sax-js/. Some relatively recent commits might be worth applying:
+* https://github.com/isaacs/sax-js/commit/67d0edef57d003757566e8886ca0478e909cd3bf
+* https://github.com/isaacs/sax-js/commit/3b74c16503572d4216d93c867853fed846cffe55
+* https://github.com/isaacs/sax-js/commit/6f760b1f8696c2af5e104ada9b171ebc2206b88c).
 === Actions & Recommendations ===
+Two DoS attack vectors were found:
+* {{bug|932819}}
+* {{bug|932825}}

Security/Reviews/Gaia/Calendar: Difference between revisions

Security/Reviews/Gaia/Calendar (view source)

Revision as of 16:08, 30 October 2013

Navigation menu

Search