193.30 KB, application/json
Review of the gaia email app
Assignee: nobody → ptheriault
Component: Security Assurance → Security Assurance: Review Request
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 4 (P2) - Mozilla Initiative Operational: 0 - N/A User: 4 - Critical Privacy: 4 - Critical Engineering: 4 - Critical Reputational: 4 - Critical Priority Score: 64
I've finished reviewing the email app. Emails are rendered in an iframe sandbox.  the iframe sandbox only allows same-origin scripts to execute. The content is said to be escaped and sanitized before display. My tests showed that HTML entities are escaped in some way. I was unable to find the part of the code that did the escaping. One area I did not review was the large js file filled with 3rd party libraries under email/js/ext/gaia-email-opt.js One last thing that needs to be done is taking out the secret debug menu that allows dumping the log to sdcard.  I tested on the 01-21 beta build and the menu was still there. Logging was disabled by default though. I will file a bug to remove the debug menu  - https://github.com/mozilla-b2g/gaia/blob/master/apps/email/js/iframe-shims.js#L184  - https://wiki.mozilla.org/Gaia/Email/SecretDebugMode
Update: a new approach is being considered to email sanitization, in order to move the mail parsing to a worket thread to improve responsiveness. Working with the devs to review this new code which is expected to be complete in the next week or so.
Status: partially reviewed but needs to be formally documented.
Created attachment 786812 [details] scanjs json output (flattened to remove files with no findings and tests with no results) I have been using a prototype of ScanJS (https://github.com/freddyb/scanjs) to identify and hand-review the uses of potentially harmful APIs (default ruleset, see http://freddyb.github.io/scanjs/client/ and click rules)). I am attaching the JSON output that my review is based on.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.