I would like to create a system where an admin user can set up an HTML-based invoice using EJS, submit it, and then use that EJS to generate invoices.
To do this, I would need them to submit the EJS, store it, and then run it -- server side -- to generate the invoice.
I realise that this is generally a bad idea. At the moment, I am doing my best to put security guidelines in terms of writing the fields with the code in them (only admins can change submit them, etc.). However, I realise that anybody with admin permissions is potentially able to submit a template with malicious code. Questions:
Is EJS at least meant to be safe? (that us, inability to require(), etc.)
What would you do if you absolutely hard to run user- (or admin-) provided code?
Is EJS at least meant to be safe? (that us, inability to require(), etc.)
If you're talking about the ejs template itself, than (generally speaking) it mostly affects security on the browser side.
So just to clarify, you can read an EJS template as string and use the render method from the ejs library to create the rendered html string to be sent to the client. So basically they cant affect the server unless you rely on data from that template that could affect security for you.
What would you do if you absolutely hard to run user- (or admin-) provided code?
If I had to go with this approach I would probably add some validations on the template itself. Maybe even parse the DOM check elements are ok it depends on the task and how the EJS varies.
If security is an important issue for you. You can test the ejs when they upload it with some headless browser to check for anything that is not supposed to be there (unknown ajax requests or script> tags etc)
Related
I'm developing a simple post application using the React for a front-end and NodeJS + MySQL for back-end. Considering the security I'm wondering where the user input sanitizing should take place - on the client side on the React form component level or rather on the server side in the NodeJS code after the user sends the data? I'm asking especially about the xss attacks , for example to prevent for posting a JS code as a post content/body.
Don't sanitize on the client-side before the data is sent to the server - clients are free to run whatever JavaScript validation code they want (including none), and to POST to your server whatever they want.
A good approach is to sanitize as soon as safely possible. Doing this will result in your database will storing sanitized values, which means that security will not depend on also remembering to sanitize on the client whenever rendering something from the database. There wouldn't be any harm in also sanitizing on the client when rendering, though - it wouldn't add any noticeable overhead, and would provide an extra layer in case you had an endpoint that you mistakenly didn't sanitize before saving to the database.
If you are letting React do the DOM manipulation itself rather than doing it by hand imperatively you don't have a lot to worry about. As long as you stay away from things like dangerouslySetInnerHTML or mutating the DOM by hand.
That being said, there are some things that you can adopt to make it even safer like using DOMPurify when you have no alternative to dangerouslySetInnerHTML.
You could also sanitize user generated content before persisting it to the database to not only prevent XSS but any sort of RCE if you know these values might be consumed by other programs and want to be defensive. But for XSS in React I wouldn't worry too much, It's only through the escape hatches in React that you would manage to get yourselve into an XSS issue.
Here is a good read on the topic https://www.stackhawk.com/blog/react-xss-guide-examples-and-prevention
I assume all variables and data used to mark up the page which is to be rendered are not sent to the client unless {{}} is used. For example, can you use {{user.name}} without it revealing all the other data associated with the object user? Thank you.
Usually, all that data in templates is only used when generating markup/HTML in the backend before responding to the request. So, in short, the user will never see the data. However, I can't say for sure this is true for setups that compile on the Frontend.
I am building a website with a Parse backend. So I'm building register/login right now, and am thinking that users can take the AppId and Javascript key and write their own javascript to register users on their own.
How can I prevent this from happening, is there a way to restrict the IPs where javascript Parse can run?
I'm guessing you mean because the user can look at your javascript and get the variables from there. If thats the case look here for a thread looking at javascript security. How to prevent your JavaScript code from being stolen, copied, and viewed?
The jist of it seemed to be that it is hard to do.
I am learning YUI and was wondering what is the best way to access my configurations (stored in a json) using YUI.
One way I came across was to maintain it in the config/app.json and access it with using global variable:
Y.Object.getValue(App, ['Cache', 'globals', 'context'])
Is this the best way? Also if my configuration is spread out over multiple json files, what would be the best way to access them?
Thanks
There are basically two ways to do this:
Include the configuration in the HTML page
Load the configuration using Ajax
Both have some pros and cons.
Including the configuration in the HTML
This requires you to do some server side coding that reads the JSON file and prints it in the page as a global variable. This is what you seem to be doing. The upside of this is that you don't have to make an extra HTTP request. The downside is that you're relying on global variables which can be fragile.
if you're using Node.js you can use express-state to expose that configuration to the client. Alternatively you can use express-yui which relies on a similar mechanism to generate YUI configuration.
Using Ajax
The downside of using Ajax is that it's slower, but the upside is that you can trust the information to be new and not have been modified by anything else in your page.
Dealing with multiple configuration files
My recommendation is that you merge the configuration into a single object. Just decide on some convention for which one wins and generate a single configuration object. This will simplify handling that information in the client. You can do this easily with express-state by just calling app.expose(config1); app.expose(config2) and so on.
I am new to Security of Web apps. I am developing an application in Cakephp and one of my friends told me about the Cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks etc. not sure how many more are there.
I need some help in understanding how to make Cakephp defend my web app against these. we are low budget and we cant hire a security consulant as of now. We are still developing the app and plan to release in by the end of the month. so wanna take care of the initial stuff that can help me stand un hacked ;)
There is not (and cannot be) one tool you can deploy and then never have to think about security again. Deploying ‘anti-XSS’ hacks like CakePHP's Sanitize::clean will get in users' way by blocking valid input, whilst still not necessarily making the app secure. Input filtering hacks are at best an obfuscation measure, not a fix for security holes.
To have a secure web application, you must write a secure web application, from the ground up. That means, primarily, attention to detail when you are putting strings from one context into another. In particular:
any time you write a string to HTML text content or attribute value, HTML-escape it (htmlspecialchars()) to avoid HTML-injection leading to XSS. This isn't just a matter of user input that might contain attacks, it's the correct way to put plain text into HTML.
Where you are using HTML helper methods, they should take care of HTML-escaping of those elements by default (unless you turn off escape); it is very unfortunate that the CakePHP tutorial includes the bad practice of echoing unescaped strings into HTML for text outside of HTML helpers.
any time you create SQL queries with string values, SQL-escape it (with an appropriate function for your database such as mysql_real_escape_string).
If you are using CakePHP's ORM and not writing your own SQL you don't have to worry about this.
avoid using user input (eg file upload names) to name files on the filesystem (generate clean unique IDs instead) or as any part of a system() command.
include the Security component to add a form submission token scheme that will prevent XSRF on forms generated by CakePHP.
Cake can be secured relatively easy (compared to self written php scripts):
http://www.dereuromark.de/2010/10/05/cakephp-security/