Closed
Bug 1113694
Opened 11 years ago
Closed 11 years ago
Vendor Sec Review: CKEditor + MDN
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: davidwalsh, Unassigned)
Details
(Whiteboard: [pending secreview])
Original bug with discussion and more details here:
https://bugzilla.mozilla.org/show_bug.cgi?id=975868
I'd like to formally request review of the CKEditor upgrade on MDN. CKEditor is a WYSIWYG editor which allows our contributors to write rich text documentation from within the browser. This contribution has been made by the CKEditor project lead developer via this pull request:
https://github.com/mozilla/kuma/pull/2948
When the security review begins, I will place this contribution on our staging server (http://developer.allizom.org). The CKEditor can be seen in 3 places (new, edit, and translate):
https://developer.allizom.org/en-US/docs/new (empty content)
https://developer.allizom.org/en-US/docs/Web$edit (prepopulated content)
https://developer.allizom.org/es/docs/Web$edit (prepopulated content)
We should be on the lookout for XSS and stored XSS issues, as well as the usual front-end security issues.
Per the review request process (https://wiki.mozilla.org/WebAppSec/Security_Review_Request#Security_Assurance_Vendor_Review_Request) form:
Overall
================
Please describe the overall purpose of the system and how Mozilla data will be integrated
----------------------------
CKEditor is required for our users to create and edit rich content. The editor is placed into the page with JavaScript. On "edit" and "translate" pages, the editor is prepopulated with HTML content which has *not* been modified or scrubbed, so if a user attempts an XSS, that XSS-containing content is placed within the editor. We should ensure the XSS code is not executed.
Security Management
================
Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.
----------------------------
I have not specifically, outside of basic testing.
Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?
----------------------------
CKEditor does not publish a detailed security document or set of standards. Searching for "CKEditor security" and "CKEditor secure" shows a record of specific security releases.
How do you protect Mozilla data that will be stored on your servers or within your applications?
----------------------------
MDN stores *exact*, non-scrubbed content within the database. Before any content is displayed on a wiki page, the content is scrubbed. When the content is placed in the CKEditor, however, non-scrubbed content is placed within the textarea which CKEditor uses. CKEditor takes that data and places it within its content IFRAME. We rely on CKEditor to prevent the execution of said XSS issues.
How do you prevent other customers of your service from obtaining access to data provided by Mozilla?
----------------------------
MDN is an open book. Content is avialable on wiki pages, via CORS, an API, etc.
What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?
----------------------------
During a past security issues, a blog post on the Mozilla blog was completed, as well as a notification in the heading of the site. That was for a PII issue with an unsecured database dump.
Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.
----------------------------
Yes: https://blog.mozilla.org/security/2014/08/01/mdn-database-disclosure/
What other large engagements/clients have you supported with this application?
----------------------------
None
Technical Design
================
Describe the technology stack of the application and infrastructure.
----------------------------
MDN is a Python (Django) + MySQL app. CKEditor is a JavaScript + CSS widget.
Will testing of the running application be possible?
----------------------------
Yes, via the staging server.
Will source code for their application be available?
----------------------------
Yes, within this pull request: https://github.com/mozilla/kuma/pull/2948
Do you have attestation reports from any other vendors regarding your security posture?
----------------------------
I do not.
Do you have any other security certifications that may be relevant?
----------------------------
I do not.
Please let me know if I can help with anything. Before testing, however, please confirm with "davidwalsh", "groovecoder", or "openjck" that the correct CKEditor is on staging. It has a grey chrome. You can find us in #mdndev.
|
Reporter | |
Comment 1•11 years ago
|
||
Update on this please? We'd really love to get this taken care of ASAP as I switch projects. Thank you!
Flags: sec-review?
|
||
Comment 2•11 years ago
|
||
(In reply to David Walsh :davidwalsh from comment #1)
> Update on this please? We'd really love to get this taken care of ASAP as I
> switch projects. Thank you!
Not to mention the risk of a patch this size quickly bitrotting.:)
|
||
Comment 3•11 years ago
|
||
:yvan - what's the best way to get a library upgrade sec review done? Is there any way we can help you?
Flags: needinfo?(yboily)
|
|
||
Comment 4•11 years ago
|
||
Performing this type of security review is very resource intensive. We generally don't perform these kind of reviews anymore due to resource constraints within the security team.
Provided it is running an up to date version of the CK Editor platform and we are subscribed to the appropriate mailing lists to get updates, I don't see any issues with proceeding.
From a privacy perspective is the code free of trackers and such?
Flags: needinfo?(yboily)
|
|
||
Comment 5•11 years ago
|
||
The release updates are here:
http://ckeditor.com/blog/category/releases
I didn't see any mailing list to which we could subscribe mdn-dev@mozilla.com. :yvan - how do we do this for other vendors? Do we have a favorite RSS-to-email service? If not I'll just pick one and subscribe mdn-dev@mozilla.com.
Another (cooler?) option would be to put CKEditor into a front-end dependency manager (planning bower in Q1) and use or make an update monitor for it. (cc'ing :openjck)
Flags: needinfo?(yboily)
|
|
||
Comment 6•11 years ago
|
||
FWIW, I'm asking if we can get ckeditor release announcements sent to mdn-dev@mozilla.com [1] If I don't hear back soon, I've also got a team thread going about how to get the announcements. We'll sort something out.
:davidwalsh - CKEditor has never included any tracking code, right? No surprise GA snippets in there?
[1] http://ckeditor.com/forums/CKEditor/How-can-I-get-email-updates-about-new-CKEditor-releases
Flags: needinfo?(dwalsh)
|
|
Reporter | |
Comment 7•11 years ago
|
||
Not that I'm aware of, and I doubt they'd say so if they did.
Flags: needinfo?(dwalsh)
|
|
||
Comment 8•11 years ago
|
||
I added an IFTTT recipe to send mdn-dev@mozilla.com an email for each CKEditor release from http://ckeditor.com/rss-ckeditor-releases.
So, we are now upgrading to an up-to-date version and are subscribed to the releases. Can we close this?
|
|
||
Comment 9•11 years ago
|
||
wfm
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(yboily)
Resolution: --- → FIXED
|
|
Reporter | |
Updated•8 years ago
|
Flags: sec-review?
You need to log in
before you can comment on or make changes to this bug.
Description
•