Closed
Bug 754742
Opened 13 years ago
Closed 11 years ago
[Security Review] B2G Gaia - Email
Categories
(mozilla.org :: Security Assurance: Review Request, task, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pauljt, Assigned: freddy)
References
()
Details
(Keywords: meta, Whiteboard: [Score:64:High][FxOS])
Attachments
(1 file)
(deleted),
application/json
|
Details |
Review of the gaia email app
Reporter | ||
Updated•13 years ago
|
Priority: -- → P1
Updated•13 years ago
|
Assignee: nobody → ptheriault
Updated•13 years ago
|
Component: Security Assurance → Security Assurance: Review Request
Updated•12 years ago
|
Blocks: B2G-secreview
Reporter | ||
Updated•12 years ago
|
Priority: P1 → P2
Reporter | ||
Comment 1•12 years ago
|
||
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 4 (P2) - Mozilla Initiative Operational: 0 - N/A User: 4 - Critical Privacy: 4 - Critical Engineering: 4 - Critical Reputational: 4 - Critical Priority Score: 64
Whiteboard: [Score:64:High]
Comment 2•12 years ago
|
||
I've finished reviewing the email app. Emails are rendered in an iframe sandbox. [1] the iframe sandbox only allows same-origin scripts to execute. The content is said to be escaped and sanitized before display. My tests showed that HTML entities are escaped in some way. I was unable to find the part of the code that did the escaping. One area I did not review was the large js file filled with 3rd party libraries under email/js/ext/gaia-email-opt.js One last thing that needs to be done is taking out the secret debug menu that allows dumping the log to sdcard. [2] I tested on the 01-21 beta build and the menu was still there. Logging was disabled by default though. I will file a bug to remove the debug menu [1] - https://github.com/mozilla-b2g/gaia/blob/master/apps/email/js/iframe-shims.js#L184 [2] - https://wiki.mozilla.org/Gaia/Email/SecretDebugMode
Reporter | ||
Comment 3•12 years ago
|
||
The entities are escaped using a port of bleach.py. There is a specific bug to review this sanitization, bug 783958. I have reviewed the approach, and it seems sounds to me and I performed some testing by hacking up the email app, and I wasn't able to get anything past the sanitization. The basic process as I understand is: - a loaded-as-data document is created, which houses the untrusted HTML, so we get a DOM, but it doesnt load scripts/links - bleach walks the DOM discarding all nodes which are not in a whitelist - images and links are stashed on custom attributes so they can be reactivated by the user if requested. The actual code that does this is in https://raw.github.com/mozilla-b2g/gaia/master/apps/email/js/ext/gaia-email-opt.js. Search for "bleach". If you are interested, its easier to read the source for this library (since it is such a massive file) Here is whitelist file: https://github.com/mozilla-b2g/gaia-email-libs-and-more/blob/master/data/lib/mailapi/htmlchew.js This uses a port of bleach to javascript: https://github.com/asutherland/bleach.js
Reporter | ||
Updated•12 years ago
|
No longer blocks: B2G-secreview
Reporter | ||
Comment 4•12 years ago
|
||
Update: a new approach is being considered to email sanitization, in order to move the mail parsing to a worket thread to improve responsiveness. Working with the devs to review this new code which is expected to be complete in the next week or so.
Updated•12 years ago
|
Whiteboard: [Score:64:High] → [Score:64:High][FxOS]
Assignee | ||
Comment 6•11 years ago
|
||
I have been using a prototype of ScanJS (https://github.com/freddyb/scanjs) to identify and hand-review the uses of potentially harmful APIs (default ruleset, see http://freddyb.github.io/scanjs/client/ and click rules)). I am attaching the JSON output that my review is based on.
Reporter | ||
Updated•11 years ago
|
Assignee: ptheriault → fbraun
Reporter | ||
Updated•11 years ago
|
Priority: P2 → P1
Assignee | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•