From 55fcf4f783f170e6a1cc8ab7ec173b274be3199d Mon Sep 17 00:00:00 2001
From: Steve Kemp <steve@steve.org.uk>
Date: Sun, 18 Nov 2012 12:10:05 +0000
Subject:   Added.  TODO: Expand/Imporove

---
 SECURITY | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 SECURITY

diff --git a/SECURITY b/SECURITY
new file mode 100644
index 0000000..f3e39b0
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,61 @@
+
+
+
+custodian-enqueue
+-----------------
+
+  We open named files from the user to parse tests.
+
+  We don't run shell commands.
+
+
+custodian-dequeue
+-----------------
+
+  Two tests pass arguments from the configuration file to
+ the shell:
+
+    ping
+
+    http/https
+
+  The hostname used to ping, and the url, are both passed
+ directly to the shell with no encoding or sanitizing.
+
+  This means a test such as the following is a risk:
+
+ $(touch /tmp/blah) must run ping.
+
+  HOWEVER the hostname will pass the following regexp:
+
+^([^\s]+)\s+
+
+  So in real terms the only risk is commands without
+ spaces:
+
+
+  $(/tmp/exploit.sh) must run ping
+
+
+  TODO: Fix this
+
+
+
+general
+-------
+
+  We decode arbitrary JSON from the queue.  We should sign
+ it, or validate it.  This will prevent trojan malformed
+ JSON from being added.
+
+
+
+TODO
+----
+
+  Anything else?  DoS attacks?
+
+
+
+Steve
+-- 
\ No newline at end of file
-- 
cgit v1.2.1