-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Policy #353
Comments
@Otto-AA sorry for coming back to you so late. |
I don't remember where exactly it was in the code, if you need it I can try to dig it up. Essentially, the markdown renderer is vulnerable to XSS. When viewing a markdown file, arbitrary scripts from this file can be executed. As an example, go to https://sheep.solidcommunity.net/public/ and click on the As a solution, it is likely enough to go to the documentation of the markdown renderer and follow the security best practices there (again, I forgot which one it is, but they must have a section about filtering scripts for XSS). |
@Otto-AA thanks! This already pins it down pretty good. :) |
Also as a general note: restrain from using |
@Otto-AA I think it is clear from your findings we do not have much know-how about security concerns in the code 😓 We could really use some help, even with this simple .innerHtml removal tasks. Would you be interested to join us, take a look? We can also organise a security knowledge transfer so we know what to avoid and fix. |
SoliOS is using https://github.com/markedjs/marked. They recommend to sanitize using https://github.com/cure53/DOMPurify |
We should split off the script injection problem from this general "What is your Security Policy" issue. |
I've moved the XSS vulnerability to another issue, so this one can focus on the security policy |
@timea-solid I've created a document with basic security recommendations here: https://github.com/Otto-AA/solid-security-basics If you think it is helpful for you all, I could also join the meeting and talk about this (though I don't know if it would be much more than going through the document). I would have to join late though, as I'm usually not available on Wednesdays before 18:00. |
@Otto-AA Thank you so so so much! I had this on the back of my mind. I recently learned how to do one myself. So getting us started is so much appreciated. And wow may I just say you went above and beyond there: https://github.com/Otto-AA/solid-security-basics |
@Otto-AA @bourgeoa what do you think about this proposal: #376 Context: each and every single repo in SolidOS should have such a policy -> if we settle the working on one, we can than copy it in each repo. |
Yes, for the next weeks/months I'm only available after 18:00. So I could only join late, or maybe in June/July I'll also have time at 17:30. Let's see :)
Thanks, I hope it's able to give some useful input!
Not necessary, but why not 🤷 And thank you for the enthusiasm, always refreshing to see! |
@Otto-AA our meetings have been pushed by 1/2 hour. |
Weren't we able to sanitize the users input? I didn't know if this issue was fixed or not. |
The markdown XSS has moved to a separate issue and has been fixed: #369 |
What is the security policy for this repository? I could not find any info in the README and the Security github section.
In particular, where should I report security vulnerabilities?
The text was updated successfully, but these errors were encountered: