The default bug view has changed. See this FAQ.

Ensure GCLI commands are executed securely

VERIFIED FIXED

Status

()

Firefox
Developer Tools
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: jwalker, Assigned: jwalker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

GCLI commands are plain JavaScript. In GCLI they are executed simply using command.exec();. It is likely that this represents a security problem in some cases since commands will be executed with chrome privileges.

We should ensure that canon.exec() or canon.addCommand() performs the required wrapping to ensure that the correct privileges are used at all times.

This is not considered a "security issue" right now because:
- "Many users" are not using this code
- The only commands that exist don't do much of any note

This issue should be fixed before any significant number of users begin testing it.
Blocks: 642229
Did this feature go through security review when it first landed?  If not, it'd probably be a good idea to have it do that regardless now.

Comment 2

6 years ago
(In reply to comment #0)
> GCLI commands are plain JavaScript. In GCLI they are executed simply using
> command.exec();. It is likely that this represents a security problem in some

I have not yet looked at the patch, but, You will have to execute these commands in a sandbox, just like the existing command line.
(In reply to comment #1)
> Did this feature go through security review when it first landed?  If not, it'd
> probably be a good idea to have it do that regardless now.

It's not landed yet.
No longer blocks: 642229
Blocks: 659061
My current thinking is that it would be good if we can have the command line execute with chrome privs, protecting it from page resources, rather than the other way around (i.e. executing with page privs, Sandboxed from chome resources).
Not sure if that's possible.
Assignee: nobody → jwalker
Jesse - Are you best person to talk to about getting this command line feature reviewed?
Thanks,

Comment 6

6 years ago
curtisk has been organizing security reviews lately.
Review TBD added to sec team review radar https://wiki.mozilla.org/Security/Radar/Active#Firefox:_In_Progress
Bug 664693 tracks the documenting of the commands.
Bug 664696 tracks the reviewing of the commands by mrbkap

The notes from the etherpad have gone - will they be published anywhere?

I'd like to close this bug now - any objections?
mrbkap is supposed to review the wrapper implementation

security team will review the list of commands

Notes are posted here: https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/GCLI
I've added the bugs I raised to the wiki page - thanks for posting that.
I'll close this bug tomorrow unless anyone complains.
Many thanks.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Marking verified because there is no UI proof that the bug is fixed. The proof is in the comments above.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.