Mozilla Location Services Security Review
"Codename: 'Mozilla Ichnaea"
Contents
Introduction
Mozilla Ichnaea is an application to provide geo-location coordinates from other sources of data (cellphone towers, wifi networks, etc.)
Resources
- Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=862828
- Wiki: https://wiki.mozilla.org/CloudServices/Location
- API Documentation: http://mozilla-ichnaea.readthedocs.org/en/latest/
- Source Code: https://github.com/mozilla/ichnaea/
- Production Service: https://location.services.mozilla.com/
Areas of Interest
Code
SQL Injection
The application uses SQLAlchemy and high level models with prepared/bound statements everywhere, with one exception:
In db.py there is the following function:
@compiles(Insert) def on_duplicate(insert, compiler, **kw): s = compiler.visit_insert(insert, **kw) if 'on_duplicate' in insert.kwargs: return s + " ON DUPLICATE KEY UPDATE " + insert.kwargs['on_duplicate'] return s
Is this a possible sql injection spot? Can this use a format string instead of concatenation?
Other Injection
In ichnaea/service/geolocate/views.py there is:
heka_client.incr('geolocate.api_key.%s' % api_key.replace('.', '__'))
Where api_key comes straight from the request parameters. Is it smart to blindly pass that to heka? (Happens in a few other places too)
Templates
All templates are Zope/TAL files. These have properly escaped parameters.
There does not seem to be any dynamic content on the application's web site. There is only the embedded OpenStreetMap widget that takes some parameters via the URL fragment. I've tried to inject various things into that without much success.
API
API Keys
In geolocate_view(request) in service/geolocate/views.py there is a check to make sure the api_key is provided. If not then the request is aborted. But if there is a key supplied, it is ignored. So you can basically provide any random key? (Maybe this is on purpose)
API Abuse
As far as I can tell there is no rate limiting to disallow a single client to simply query a large geographic area programatically to obtain all our data for that area.
Is that a concern? Early in this project we talked about making database dumps of all our data available. Will that still be the case? That would also prevent API & Server abuse.
Deployment
- SSL Status: A+ https://www.ssllabs.com/ssltest/analyze.html?d=location.services.mozilla.com
- CSP: Present and strict (unsafe-eval from .cdn.mozilla.net is unfortunate but I guess that is because we host jquery.js and tabzilla.js there?)
- HSTS: Present
- X-Frame-Options: Present
- Robots.txt: Present - disallows API endpoints and leaderboard. Do we allow the /stats and /map on purpose? (I don't see any problem with it)