Posted by Jurjen de Vries on July 19, 2011 at 3:19pm
Is there a posibility / module to filter exploided javascript? My editors like to add embeded javascript to the site for new (eg Google Plus) or less used services, but I don't want create security holes by this.
Comments
You want to allow some
You want to allow some javascript, but not all?
The javascript language is just way to hard to try and parse for whether the content is malicious or not. I don't think we'll ever see something to allow arbitrary jaascript and filter for whether or not it is malicious.
knaddison blog | Morris Animal Foundation
Malicious code
Perhaps something like RFC 3514, but adapted to Javascript?
http://tools.ietf.org/html/rfc3514
;)
http://cleaver.ca
@greggles. That's right. I
@greggles. That's right.
I did some research and found out about http://drupal.org/project/security_scanner . But there is no description about javascript.
I also found http://www.darknet.org.uk/2009/04/watcher-passive-analysis-tool-for-http... , but it is not Drupal, but maybe can do some part, or reuse the code.
Any ideas / suggestions?
It might be possible to
It might be possible to reverse-engineer the Javascript checks. I would still wonder how effective you could really be. I can only imagine it would be trivial to fool the filter.
http://cleaver.ca
Really tough issue...
Doing static analysis on JS code is really tough to do right...the major static analyzers don't touch JS because of this. I'd recommend filtering JS out via the input filter, and then adding the JS in the theme templates - I'm presuming that a limited number of people have access to the theme files.
Doing JS through the CMS is iffy anyways - if you're using a WYSIWYG editor, somebody could forget about the JS or not know of it's existence unless they view source.
Protected Industries
The issue is that limited
The issue is that limited number of people have access to the theme files, modules, etc. I like that a web editor can add the javascript by the wysiwyg editor by a button or by html source.
Then I suggest you consider
Then I suggest you consider the risks and just let them do it. If you can, limit the number of people with that input format and try to convey that their account is important, is not to be shared, and they should follow best practices for password/insecure wifi/shared computers/etc.
knaddison blog | Morris Animal Foundation
Change Management
Not to get all corporate IT here, but it sounds more like a change management issue than a filtering javascript issue. IE, there should be an accepted and agreed upon process to make changes to production. That would include promoting new code that has the potential to include security vulnerabilities. Can you 'fix' the humans in this case and work in a better security review and change process for prod?
I tend to agree. It can be
I tend to agree. It can be enough to make sure users understand the impact and be sure they "own" their changes. That won't work in all environments... eg. large user base, temp. workers, high turnover.
Better change management process would go a long way to establishing accountability.
@Jurjen, would keeping full revision history and giving the message that "we'll be watching you" be of help in your situation?
http://cleaver.ca