Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security concerns with z3-js boxes #62

Open
1 task
rlisahuang opened this issue Jul 22, 2022 · 2 comments
Open
1 task

Security concerns with z3-js boxes #62

rlisahuang opened this issue Jul 22, 2022 · 2 comments
Labels
question Further information is requested

Comments

@rlisahuang
Copy link
Contributor

Now that we eval every z3-js snippet, the door to potential security attacks is opened.

A possible scenario I could think of is that someone forks this repo, changes some z3-js content to be malicious, and hosts it on a public github page. Visitors of that page could have their information stolen through such malicious content.

Pretty sure the official docusaurus website has some mechanism against it as there are executable and editable JS blocks too.

TODO:

  • look into sandboxing / sanity checks that the built-in editor might provide.
@rlisahuang
Copy link
Contributor Author

My understanding of the issue after speaking with a security researcher:

  • The scenario mentioned above is a phishing attack, which is beyond our control and it is the browser that should ensure such attacks will not go through. So from our end there is no workaround for that.

  • All our editors are read-only when first loaded. An editor only becomes editable after the user clicks Run to see the output of the input that comes with it. Therefore, modifications of code snippets can only be authored by the user themselves, not by us or any third-party. So we should be safe with this set up.

  • If we are considering content sharing in the future, we should NOT do so through URLs embedded with code, e.g., "Check out the Z3-JS code I wrote: https://microsoft.github.io/z3guide/playground?code=I_will_ruin_your_life".

  • We do have a threat model to be concerned about, related with any vulnerability comes with the z3-solver package. Users could be tricked into running z3-js code they do not understand that exploits the vulnerability to exfiltrate or manipulate data from the origin, i.e., microsoft.github.io.

    • However, this is also beyond our control.

  • We are pretty safe already, but we can still be extra safe by doing the following:

    • Adding CSP to prevent XSS attacks
    • put the backend process that runs z3-js in an invisible iframe.

@rlisahuang rlisahuang added the question Further information is requested label Aug 5, 2022
@pelikhan
Copy link
Member

If you enable code sharing, you'll expose yourself to execute malicious javascript on microsoft.github.io domain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pelikhan @rlisahuang