Added. TODO: Expand/Imporove

author: Steve Kemp <steve@steve.org.uk> 2012-11-18 12:10:05 +0000
committer: Steve Kemp <steve@steve.org.uk> 2012-11-18 12:10:05 +0000
commit: 787760f930ce2afddb5a5d2093773e47818701cf (patch)
tree: 016ab7fbe4e7e4f091d770c03c622e8ae58ab541 /SECURITY
parent: e52356a2cd913e225f9e4236731edb90dc2d6c76 (diff)
1 files changed, 61 insertions, 0 deletions
diff --git a/SECURITY b/SECURITY
new file mode 100644
index 0000000..f3e39b0
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,61 @@
+
+
+
+custodian-enqueue
+-----------------
+
+  We open named files from the user to parse tests.
+
+  We don't run shell commands.
+
+
+custodian-dequeue
+-----------------
+
+  Two tests pass arguments from the configuration file to
+ the shell:
+
+    ping
+
+    http/https
+
+  The hostname used to ping, and the url, are both passed
+ directly to the shell with no encoding or sanitizing.
+
+  This means a test such as the following is a risk:
+
+ $(touch /tmp/blah) must run ping.
+
+  HOWEVER the hostname will pass the following regexp:
+
+^([^\s]+)\s+
+
+  So in real terms the only risk is commands without
+ spaces:
+
+
+  $(/tmp/exploit.sh) must run ping
+
+
+  TODO: Fix this
+
+
+
+general
+-------
+
+  We decode arbitrary JSON from the queue.  We should sign
+ it, or validate it.  This will prevent trojan malformed
+ JSON from being added.
+
+
+
+TODO
+----
+
+  Anything else?  DoS attacks?
+
+
+
+Steve
+-- 
+\ No newline at end of file
author	Steve Kemp <steve@steve.org.uk>	2012-11-18 12:10:05 +0000
committer	Steve Kemp <steve@steve.org.uk>	2012-11-18 12:10:05 +0000
commit	787760f930ce2afddb5a5d2093773e47818701cf (patch)
tree	016ab7fbe4e7e4f091d770c03c622e8ae58ab541 /SECURITY
parent	e52356a2cd913e225f9e4236731edb90dc2d6c76 (diff)