From 55fcf4f783f170e6a1cc8ab7ec173b274be3199d Mon Sep 17 00:00:00 2001 From: Steve Kemp Date: Sun, 18 Nov 2012 12:10:05 +0000 Subject: Added. TODO: Expand/Imporove --- SECURITY | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 SECURITY (limited to 'SECURITY') diff --git a/SECURITY b/SECURITY new file mode 100644 index 0000000..f3e39b0 --- /dev/null +++ b/SECURITY @@ -0,0 +1,61 @@ + + + +custodian-enqueue +----------------- + + We open named files from the user to parse tests. + + We don't run shell commands. + + +custodian-dequeue +----------------- + + Two tests pass arguments from the configuration file to + the shell: + + ping + + http/https + + The hostname used to ping, and the url, are both passed + directly to the shell with no encoding or sanitizing. + + This means a test such as the following is a risk: + + $(touch /tmp/blah) must run ping. + + HOWEVER the hostname will pass the following regexp: + +^([^\s]+)\s+ + + So in real terms the only risk is commands without + spaces: + + + $(/tmp/exploit.sh) must run ping + + + TODO: Fix this + + + +general +------- + + We decode arbitrary JSON from the queue. We should sign + it, or validate it. This will prevent trojan malformed + JSON from being added. + + + +TODO +---- + + Anything else? DoS attacks? + + + +Steve +-- \ No newline at end of file -- cgit v1.2.1