Closed Bug 754736 Opened 13 years ago Closed 12 years ago

[Security Review] B2G Gaia - Calendar

Categories

(mozilla.org :: Security Assurance: Review Request, task, P2)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Platform:
x86
macOS
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pauljt, Assigned: dchanm+bugzilla)

References

(
URL
)

Details

(Keywords: meta, Whiteboard: [Score:44:Medium]) 

Review of the gaia Calendar app. http://calendar.gaiamobile.org/
Priority: -- → P1
Assignee: nobody → ptheriault
Component: Security Assurance → Security Assurance: Review Request
Priority: P1 → P2
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 4 (P2) - Mozilla Initiative

Operational: 0 - N/A
User: 4 - Critical
Privacy: 2 - Normal
Engineering: 2 - Normal
Reputational: 3 - Major

Priority Score: 44
Whiteboard: [Score:44:Medium]
Assignee: ptheriault → dchan+bugzilla
I've done some manual testing and review of the gaia calendar app. The main threat scenario I saw was malicious input from the calendar sync endpoints. The app allows connection to non-SSL calendars which is a potential vector for injecting malicious content.

I was unable to get unescaped input into the calendar in my limited tests. The calendar app uses a custom MVC framework and tmeplating system. [1] Calendar entry data is sanitized through the use of Node.textContent and a regex replace

  'h': function(a) {

      var arg = this.arg(a);

      //only escape bad looking stuff saves
      //a ton of time
      if (POSSIBLE_HTML.test(arg)) {
        span.textContent = arg;
        return span.innerHTML.replace(/"/g, '"').replace(/'/g, ''');
      } else {
        // we don't want to call String in the case of "".
        // we emit a string version rather then an empty string.
        return arg || '';
      }
    },

POSSIBLE_HTML matches /[&<>"'`]/

Setting span.textContent escapes the characters <, >, and &
Using the regex on span.innerHTML escapes the ' and "

This escaped input is then concatenate in various templates.

I didn't test the effects of sending malformed DAV/calendar data to the sync handlers. It is possible that malformed data results in a crash or other undesired behavior. However I view this as a low risk scenario that can be revisited after basecamp. There are bigger issues if this injection succeeds since it implies an insecure connection was used. For a secured connection, the network should drop the corrupted packets.

I'm going to close off this review and set a followup to add more tests to the current calendar testsuite.

[1] - https://github.com/mozilla-b2g/gaia/tree/master/apps/calendar/js/templates
[2] - https://github.com/mozilla-b2g/gaia/blob/master/apps/calendar/js/template.js#L35
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Something I forgot to mention is that the calendar app does temporarily store data into an "alarms store" indexDB. This is separate from the Alarms API DB. The calendar app /WILL/ copy its alarms from the "alarm store" to the Alarms API DB as needed. If the time for the "alarm stores" entry has passed, the Calendar will fire a notification instead of setting an alarm with the Alarm API.
You need to log in before you can comment on or make changes to this bug.