Set the sandbox attribute for the iframe used in the log viewer to improve security

RESOLVED FIXED

Status

Tree Management
Treeherder: Log Viewer
P3
normal
RESOLVED FIXED
11 months ago
a month ago

People

(Reporter: emorley, Unassigned, Mentored)

Tracking

({good-first-bug})

Details

(Whiteboard: [lang=html])

Attachments

(1 attachment)

The new log viewer implementation loads a third party domain into an iframe.

To reduce the damage that can be done, we should set the `sandbox` property for the iframe to a suitable value, to limit the iframe content's ability to affect Treeherder.

See:
https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe
The iframe that needs the `sandbox` attribute setting is here:
https://github.com/mozilla/treeherder/blob/2a6d6f9b10f2a487a43cee0b240701991bed4ed4/ui/partials/logviewer/logviewer.html

To test, follow the instructions here:
https://treeherder.readthedocs.io/ui/installation.html#running-the-standalone-development-server

And then visit a URL like:
http://localhost:5000/logviewer.html#?job_id=128312507&repo=mozilla-inbound

...and compare with the stage version, checking everything still loaded:
https://treeherder.allizom.org/logviewer.html#?job_id=128312507&repo=mozilla-inbound

If there were errors in the web console, you may need to use the `sandbox` settings to add back a few permissions.

Note: If more than 4 months have passed since this comment, that job will no longer exists, and you'll need to find another job_id / log page to use as an example, by visiting stage (https://treeherder.allizom.org/#/jobs?repo=mozilla-inbound), clicking on a job and using the log icon on the bottom panel.

Once you're happy with the change, open a pull request with a title of form "Bug NNNNNN - MESSAGE" and a bot will create a link attachment here, that you can set the "review?" flag on and pick me from the suggested reviewers list.
Mentor: emorley@mozilla.com
Keywords: good-first-bug
Summary: Set the sandbox attribute for the iframe used in the log viewer → Set the sandbox attribute for the iframe used in the log viewer to improve security
Whiteboard: [lang=html]

Comment 2

2 months ago
Created attachment 8921309 [details] [review]
[treeherder] amychan331:set-sandbox-attribute > mozilla:master
Attachment #8921309 - Flags: review?(emorley)

Comment 3

a month ago
Commit pushed to master at https://github.com/mozilla/treeherder

https://github.com/mozilla/treeherder/commit/32c549dc2800f1ca4611ec9e2e8f83cc2e38fc68
Bug 1328710 - Enable sandboxing for the logviewer iframe (#2867)

To improve security. 

See:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
Attachment #8921309 - Flags: review?(emorley) → review+
Status: NEW → RESOLVED
Last Resolved: a month ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.