Security Policy #353
Comments
|
@Otto-AA sorry for coming back to you so late. |
|
I don't remember where exactly it was in the code, if you need it I can try to dig it up. Essentially, the markdown renderer is vulnerable to XSS. When viewing a markdown file, arbitrary scripts from this file can be executed. As an example, go to https://sheep.solidcommunity.net/public/ and click on the As a solution, it is likely enough to go to the documentation of the markdown renderer and follow the security best practices there (again, I forgot which one it is, but they must have a section about filtering scripts for XSS). |
|
@Otto-AA thanks! This already pins it down pretty good. :) |
|
Also as a general note: restrain from using |
|
@Otto-AA I think it is clear from your findings we do not have much know-how about security concerns in the code 😓 We could really use some help, even with this simple .innerHtml removal tasks. Would you be interested to join us, take a look? We can also organise a security knowledge transfer so we know what to avoid and fix. |
|
SoliOS is using https://github.com/markedjs/marked. They recommend to sanitize using https://github.com/cure53/DOMPurify |
|
We should split off the script injection problem from this general "What is your Security Policy" issue. |
|
I've moved the XSS vulnerability to another issue, so this one can focus on the security policy |
|
@timea-solid I've created a document with basic security recommendations here: https://github.com/Otto-AA/solid-security-basics If you think it is helpful for you all, I could also join the meeting and talk about this (though I don't know if it would be much more than going through the document). I would have to join late though, as I'm usually not available on Wednesdays before 18:00. |
|
@Otto-AA Thank you so so so much! I had this on the back of my mind. I recently learned how to do one myself. So getting us started is so much appreciated. And wow may I just say you went above and beyond there: https://github.com/Otto-AA/solid-security-basics |
|
@Otto-AA @bourgeoa what do you think about this proposal: #376 Context: each and every single repo in SolidOS should have such a policy -> if we settle the working on one, we can than copy it in each repo. |
Yes, for the next weeks/months I'm only available after 18:00. So I could only join late, or maybe in June/July I'll also have time at 17:30. Let's see :)
Thanks, I hope it's able to give some useful input!
Not necessary, but why not 🤷 And thank you for the enthusiasm, always refreshing to see! |
|
@Otto-AA our meetings have been pushed by 1/2 hour. |
|
Weren't we able to sanitize the users input? I didn't know if this issue was fixed or not. |
The markdown XSS has moved to a separate issue and has been fixed: #369 |
What is the security policy for this repository? I could not find any info in the README and the Security github section.
In particular, where should I report security vulnerabilities?
The text was updated successfully, but these errors were encountered: