Comments (7)
(You see? You're beginning to love Node.js development… ;)
from scribejs.
cf https://blog.risingstack.com/node-js-security-checklist/
from scribejs.
@tripu I went through the tests, so far as I could understand them; here is the checklist so far. There are some open issues for which you may have an answer.
- Configuration Management
- Security HTTP Headers: not applicable. Seems to be relevant for server side implementations; scribejs does not operate as a server.
- Sensitive Data on the Client Side: check. The only sensitive data may be the github credential; that is not in the code.
- Authentication
- Brute Force Protection: not applicable. Seems to be relevant for server side implementations; scribejs does not operate as a server.
- Session Management
- Cookie Flags: not applicable, no cookies are used.
- Cookie scope: not applicable, no cookies are used.
- CSRF: I am not sure I understand, but does not seem to be applicable that is server specific
- Data validation
-
XSS: Sanitize user input: that may be necessary for the data received via the HTTP POST that is issued when the form is submitted. Not sure how and what to do about it: how do I ensure that the input is proper text without any executable? Or is it necessary to check? There is no
eval
or similar in the program.Is it necessary to check whether the input is not too large? Ie, that it would not override some buffers? Or do browsers have protections for this?
-
SQL Injection: not applicable, there is no underlying database handling.
-
Command Injection: again, sanitize user input, mostly URL-s. I am not sure what is to be done.
-
- Secure transmission. This is mostly around the usage and the check of HTTPS; isn't this a matter of the server setup at lab.w3.org?
- Denial of service
- Account lockout: is there a way to avoid a DoS type attack on a CGI script target? I.e., to avoid zillions of such calls? I am not sure that is something that script itself can/should do…
- Regular Expressions: the input, or any part of the script, is not using regular expressions. However, the
s/.../.../
feature uses regular expressions internally, by turning the first string into a regex (this is used to ensure that all occurrences in a line of the match are changed). Thesafe-check
approach has been implemented for this (as part of PR #33)
- Error handling
- Error codes, stack traces: checked the
catch
orthrow
calls. At some place, potentially, secret information like the gh token could spill to the public; I have obfuscated those (as part of PR #33)
- Error codes, stack traces: checked the
- NPM
- NSP: I checked the package with NSP; no vulnerability found.
I also do not know whether the usage of local storage in the browser has separate vulnerabilities.
from scribejs.
Good work, @iherman!
I'll review your PR very soon.
from scribejs.
from scribejs.
Added some changes on URL sanitation, see comment in #33.
from scribejs.
I guess this issue is also moot with the disappearance of the CGI interface
from scribejs.
Related Issues (20)
- Hide config from version control HOT 4
- Do we need package 'node-fetch'? HOT 2
- Refactor "convert.io" using regex'es instead? HOT 2
- Do we need "CGI/protocol.js"? HOT 2
- CGI: add option to commit to w3.org space instead of GH repo? HOT 5
- Review input sanitisation HOT 4
- Use npm package 'octocat' instead of interacting directly with the GH API? HOT 2
- Remove the latest ES dependencies from preset.js HOT 1
- Publish scribejs in npm HOT 6
- Do we need field “files” in “package.json”? HOT 2
- Whitespace and coding style? HOT 5
- Add JSON-LD to Jekyll preamble HOT 8
- Markdown id format HOT 1
- GitHub Pages Hosting of new BrowserView HOT 6
- Integrate BrowserView editor with GitHub's Personal Token & API HOT 4
- Validate nickname files in BrowserView HOT 1
- security holding package HOT 3
- Browserify the tool? HOT 3
- Security alert on marked version HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scribejs.