Closed Bug 754742 Opened 12 years ago Closed 11 years ago

[Security Review] B2G Gaia - Email

Categories

(mozilla.org :: Security Assurance: Review Request, task, P1)

x86
macOS

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: pauljt, Assigned: freddy)

References

()

Details

(Keywords: meta, Whiteboard: [Score:64:High][FxOS])

Attachments

(1 file)

Review of the gaia email app
Priority: -- → P1
Assignee: nobody → ptheriault
Component: Security Assurance → Security Assurance: Review Request
Priority: P1 → P2
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 4 (P2) - Mozilla Initiative

Operational: 0 - N/A
User: 4 - Critical
Privacy: 4 - Critical
Engineering: 4 - Critical
Reputational: 4 - Critical

Priority Score: 64
Whiteboard: [Score:64:High]
I've finished reviewing the email app. Emails are rendered in an iframe sandbox. [1] the iframe sandbox only allows same-origin scripts to execute. The content is said to be escaped and sanitized before display. My tests showed that HTML entities are escaped in some way. I was unable to find the part of the code that did the escaping.

One area I did not review was the large js file filled with 3rd party libraries under
email/js/ext/gaia-email-opt.js

One last thing that needs to be done is taking out the secret debug menu that allows dumping the log to sdcard. [2] I tested on the 01-21 beta build and the menu was still there. Logging was disabled by default though. I will file a bug to remove the debug menu


[1] - https://github.com/mozilla-b2g/gaia/blob/master/apps/email/js/iframe-shims.js#L184
[2] - https://wiki.mozilla.org/Gaia/Email/SecretDebugMode
Depends on: 834433
The entities are escaped using a port of bleach.py. There is a specific bug to review this sanitization, bug 783958. I have reviewed the approach, and it seems sounds to me and I performed some testing by hacking up the email app, and I wasn't able to get anything past the sanitization.

The basic process as I understand is:
- a loaded-as-data document is created, which houses the untrusted HTML, so we get a DOM, but it doesnt load scripts/links
- bleach walks the DOM discarding all nodes which are not in a whitelist
- images and links are stashed on custom attributes so they can be reactivated by the user if requested.

The actual code that does this is in https://raw.github.com/mozilla-b2g/gaia/master/apps/email/js/ext/gaia-email-opt.js. Search for "bleach".

If you are interested, its easier to read the source for this library (since it is such a massive file) Here is whitelist file: https://github.com/mozilla-b2g/gaia-email-libs-and-more/blob/master/data/lib/mailapi/htmlchew.js

This uses a port of bleach to javascript: https://github.com/asutherland/bleach.js
Update: a new approach is being considered to email sanitization, in order to move the mail parsing to a worket thread to improve responsiveness. Working with the devs to review this new code which is expected to be complete in the next week or so.
Whiteboard: [Score:64:High] → [Score:64:High][FxOS]
Status: partially reviewed but needs to be formally documented.
Depends on: 899070
Depends on: 901470
Depends on: 901538
Depends on: 901894
Depends on: 901926
I have been using a prototype of ScanJS (https://github.com/freddyb/scanjs) to identify and hand-review the uses of potentially harmful APIs (default ruleset, see http://freddyb.github.io/scanjs/client/ and click rules)).

I am attaching the JSON output that my review is based on.
Depends on: 902381
Assignee: ptheriault → fbraun
Priority: P2 → P1
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: