summaryrefslogtreecommitdiff
path: root/SECURITY
diff options
context:
space:
mode:
authorSteve Kemp <steve@steve.org.uk>2012-11-18 12:10:05 +0000
committerSteve Kemp <steve@steve.org.uk>2012-11-18 12:10:05 +0000
commit55fcf4f783f170e6a1cc8ab7ec173b274be3199d (patch)
tree016ab7fbe4e7e4f091d770c03c622e8ae58ab541 /SECURITY
parent83bef1ad6bb484623363f629990f0258177efcb8 (diff)
Added. TODO: Expand/Imporove
Diffstat (limited to 'SECURITY')
-rw-r--r--SECURITY61
1 files changed, 61 insertions, 0 deletions
diff --git a/SECURITY b/SECURITY
new file mode 100644
index 0000000..f3e39b0
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,61 @@
+
+
+
+custodian-enqueue
+-----------------
+
+ We open named files from the user to parse tests.
+
+ We don't run shell commands.
+
+
+custodian-dequeue
+-----------------
+
+ Two tests pass arguments from the configuration file to
+ the shell:
+
+ ping
+
+ http/https
+
+ The hostname used to ping, and the url, are both passed
+ directly to the shell with no encoding or sanitizing.
+
+ This means a test such as the following is a risk:
+
+ $(touch /tmp/blah) must run ping.
+
+ HOWEVER the hostname will pass the following regexp:
+
+^([^\s]+)\s+
+
+ So in real terms the only risk is commands without
+ spaces:
+
+
+ $(/tmp/exploit.sh) must run ping
+
+
+ TODO: Fix this
+
+
+
+general
+-------
+
+ We decode arbitrary JSON from the queue. We should sign
+ it, or validate it. This will prevent trojan malformed
+ JSON from being added.
+
+
+
+TODO
+----
+
+ Anything else? DoS attacks?
+
+
+
+Steve
+-- \ No newline at end of file