Closed Bug 754742 Opened 13 years ago Closed 12 years ago

[Security Review] B2G Gaia - Email

Categories

(mozilla.org :: Security Assurance: Review Request, task, P1)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Platform:
x86
macOS
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pauljt, Assigned: freddy)

References

(
URL
)

Details

(Keywords: meta, Whiteboard: [Score:64:High][FxOS])

Attachments

(1 file)

scanjs json output (flattened to remove files with no findings and tests with no results)
193.30 KB, application/json
Details
Review of the gaia email app
Priority: -- → P1
Assignee: nobody → ptheriault
Component: Security Assurance → Security Assurance: Review Request
Priority: P1 → P2
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 4 (P2) - Mozilla Initiative Operational: 0 - N/A User: 4 - Critical Privacy: 4 - Critical Engineering: 4 - Critical Reputational: 4 - Critical Priority Score: 64
Whiteboard: [Score:64:High]
I've finished reviewing the email app. Emails are rendered in an iframe sandbox. [1] the iframe sandbox only allows same-origin scripts to execute. The content is said to be escaped and sanitized before display. My tests showed that HTML entities are escaped in some way. I was unable to find the part of the code that did the escaping. One area I did not review was the large js file filled with 3rd party libraries under email/js/ext/gaia-email-opt.js One last thing that needs to be done is taking out the secret debug menu that allows dumping the log to sdcard. [2] I tested on the 01-21 beta build and the menu was still there. Logging was disabled by default though. I will file a bug to remove the debug menu [1] - https://github.com/mozilla-b2g/gaia/blob/master/apps/email/js/iframe-shims.js#L184 [2] - https://wiki.mozilla.org/Gaia/Email/SecretDebugMode
Depends on: 834433
The entities are escaped using a port of bleach.py. There is a specific bug to review this sanitization, bug 783958. I have reviewed the approach, and it seems sounds to me and I performed some testing by hacking up the email app, and I wasn't able to get anything past the sanitization. The basic process as I understand is: - a loaded-as-data document is created, which houses the untrusted HTML, so we get a DOM, but it doesnt load scripts/links - bleach walks the DOM discarding all nodes which are not in a whitelist - images and links are stashed on custom attributes so they can be reactivated by the user if requested. The actual code that does this is in https://raw.github.com/mozilla-b2g/gaia/master/apps/email/js/ext/gaia-email-opt.js. Search for "bleach". If you are interested, its easier to read the source for this library (since it is such a massive file) Here is whitelist file: https://github.com/mozilla-b2g/gaia-email-libs-and-more/blob/master/data/lib/mailapi/htmlchew.js This uses a port of bleach to javascript: https://github.com/asutherland/bleach.js
Update: a new approach is being considered to email sanitization, in order to move the mail parsing to a worket thread to improve responsiveness. Working with the devs to review this new code which is expected to be complete in the next week or so.
Whiteboard: [Score:64:High] → [Score:64:High][FxOS]
Status: partially reviewed but needs to be formally documented.
Depends on: 899070
Depends on: 901470
Depends on: 901538
Depends on: 901894
Depends on: 901926
I have been using a prototype of ScanJS (https://github.com/freddyb/scanjs) to identify and hand-review the uses of potentially harmful APIs (default ruleset, see http://freddyb.github.io/scanjs/client/ and click rules)). I am attaching the JSON output that my review is based on.
Depends on: 902381
Assignee: ptheriault → fbraun
Priority: P2 → P1
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: