Closed
Bug 754736
Opened 13 years ago
Closed 12 years ago
[Security Review] B2G Gaia - Calendar
Categories
(mozilla.org :: Security Assurance: Review Request, task, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pauljt, Assigned: dchanm+bugzilla)
References
()
Details
(Keywords: meta, Whiteboard: [Score:44:Medium])
Review of the gaia Calendar app. http://calendar.gaiamobile.org/
|
Reporter | |
Updated•13 years ago
|
Priority: -- → P1
|
||
Updated•13 years ago
|
Assignee: nobody → ptheriault
|
|
||
Updated•13 years ago
|
Component: Security Assurance → Security Assurance: Review Request
|
||
Updated•12 years ago
|
Blocks: B2G-secreview
|
|
Reporter | |
Updated•12 years ago
|
Priority: P1 → P2
|
|
Reporter | |
Comment 1•12 years ago
|
||
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings
Priority: 4 (P2) - Mozilla Initiative
Operational: 0 - N/A
User: 4 - Critical
Privacy: 2 - Normal
Engineering: 2 - Normal
Reputational: 3 - Major
Priority Score: 44
Whiteboard: [Score:44:Medium]
|
Assignee | |
Updated•12 years ago
|
Assignee: ptheriault → dchan+bugzilla
|
|
Assignee | |
Comment 2•12 years ago
|
||
I've done some manual testing and review of the gaia calendar app. The main threat scenario I saw was malicious input from the calendar sync endpoints. The app allows connection to non-SSL calendars which is a potential vector for injecting malicious content.
I was unable to get unescaped input into the calendar in my limited tests. The calendar app uses a custom MVC framework and tmeplating system. [1] Calendar entry data is sanitized through the use of Node.textContent and a regex replace
'h': function(a) {
var arg = this.arg(a);
//only escape bad looking stuff saves
//a ton of time
if (POSSIBLE_HTML.test(arg)) {
span.textContent = arg;
return span.innerHTML.replace(/"/g, '"').replace(/'/g, ''');
} else {
// we don't want to call String in the case of "".
// we emit a string version rather then an empty string.
return arg || '';
}
},
POSSIBLE_HTML matches /[&<>"'`]/
Setting span.textContent escapes the characters <, >, and &
Using the regex on span.innerHTML escapes the ' and "
This escaped input is then concatenate in various templates.
I didn't test the effects of sending malformed DAV/calendar data to the sync handlers. It is possible that malformed data results in a crash or other undesired behavior. However I view this as a low risk scenario that can be revisited after basecamp. There are bigger issues if this injection succeeds since it implies an insecure connection was used. For a secured connection, the network should drop the corrupted packets.
I'm going to close off this review and set a followup to add more tests to the current calendar testsuite.
[1] - https://github.com/mozilla-b2g/gaia/tree/master/apps/calendar/js/templates
[2] - https://github.com/mozilla-b2g/gaia/blob/master/apps/calendar/js/template.js#L35
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 3•12 years ago
|
||
Something I forgot to mention is that the calendar app does temporarily store data into an "alarms store" indexDB. This is separate from the Alarms API DB. The calendar app /WILL/ copy its alarms from the "alarm store" to the Alarms API DB as needed. If the time for the "alarm stores" entry has passed, the Calendar will fire a notification instead of setting an alarm with the Alarm API.
|
|
Reporter | |
Updated•12 years ago
|
No longer blocks: B2G-secreview
You need to log in
before you can comment on or make changes to this bug.
Description
•