Places:SecurityReview

From MozillaWiki
Jump to: navigation, search

Status

Places Security Review tracking bug

Has a design review been completed?

There has not been a formal design review.

When do you anticipate the feature landing

  • Places-based History was turned on for the Firefox 3 Alpha 2 release
  • Places-based Bookmarks was turned on for the Firefox 3 Alpha 5 release

Overview

Implement new back ends for Bookmarks and History using the mozStorage system. Develop newer, more usable front end components to display results, emphasizing simple search and categorization.

Use Cases

Requirements

UI Design Documentation

use cases and expected user knowledge (terminology, metaphors, etc)

Terminology: Visit, Session, Bookmark, Tag, Star, Folder, Livemark, Smart Folders/Queries/Saved Searches, Organizer, Keyword

design mockups (of whatever fidelity is easiest)

links to relevant user data, bugs, reports, examples, etc

Design Impact

Security and Privacy

  • What security issues do you address in your project?
    • Blocking moz-anno protocol from being accessed from content (bug 337223)
    • Filtering which schemes can be added to history (code link)
  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
    • eg: missing visits default caused history deletion
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
    • Assumptions
      • bookmarks.html is pure
      • places.sqlite is being written to only by our application
    • Capabilities
    • Potential Risks
      • Favicons
      • Bookmarklets
      • Place URIs
      • Script in keywords, descriptions, titles, etc

Exported APIs

  • Does it interoperate with a web service? How will it do so?
    • The livemark service gets feed data from the Feeds components. At this point, that's about as close as Places comes to any web service.
  • Explain the significant file formats, names, syntax, and semantics.
    • places.sqlite: The central datastore is using SQLite via mozStorage. XXXlinks
    • bookmarks.html: Places can parse and serialize bookmarks data in the "bookmarks.html" format.
    • JSON: bug 384370 introduces backups and imports of bookmark, tag and annotation data from JSON files. This may expand to include history data, as well as using the format for web service interaction. XXXlinks
  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
    • Feedback thus far from extension developers have been positive.
  • Does it change any existing interfaces?

Web Compatibility

  • Does the feature had any impact on Web compatibility?

Performance

  • How will the project contribute (positively or negatively) to "perceived performance"?
  • What are the performance goals of the project? How were they evaluated? What is the test or reference platform and baseline results?
  • Will it require large files/databases (for example, browsing history)?

Reliability

  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?

l10n and a11y

Are any strings being changed or added?

Are all UI elements available through accessibility technologies?

Places has several open bugs on specific areas that are not properly accessible.

Installation, Upgrade/Downgrade/Sidegrade, and platform requirements

Does it equally support all Tier-1 platforms?

  • Yes.

Does it have a hardware requirement (or increase minimum requirements)?

  • No.

Does it require changes to the installer?

  • No.

Does it impact updates?

  • No.

List the expected behavior of this feature/function when Firefox is upgraded to a newer minor release, downgraded by installation of an earlier revision, or re-installed (same version)

  • Upgrade: No change on upgrade to newer minor release
  • Downgrade to previous major release: Bookmarks and history will revert to their pre-Places state.

Configuration

Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?

Prefs:

  • browser.expire_history_days - A ceiling on the number of days of history to keep.
  • browser.expire_history_visits - A ceiling on the number of history visits to keep.
  • browser.places.importBookmarksHTML - If true, import the bookmarks.html file in the profile on startup.
  • browser.urlbar.matchOnlyTyped - In location bar autocomplete, only show typed URLs, not those that are the result of a link click, for example.
  • browser.history.showSessions - When history is sorted by date, also group by session.
  • browser.places.createdDefaultQueries - Whether the Places folder on the toolbar has been created. The folder will be re-created at startup if false.
  • browser.history_cache_percentage - % of RAM to use as a cap for sqlite cache size (details)
  • browser.bookmarks.overwrite - Whether Firefox 3 should overwrite the old bookmarks.html file on shutdown. Default is false.
  • browser.bookmarks.max_backups - The number of backups to keep in the {profdir}/bookmarkbackups directory.

Are there build options for developers? [#ifdefs, ac_add_options, etc.]

  • Not anymore

What ranges for the tunable are appropriate? How are they determined?

What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

  • The default bookmarks.html file

Documentation

Do built-in Help pages need to be modified?

  • Yes.

Documentation for developer.mozilla.org?

Notes

  • SQL Injection (bug 405920)
    • TODO: enumerate and document all sources of data added into places.sqlite
    • TODO: formalized audit of code path of input data, confirm it's using parameter binding instead of executing raw SQL.
  • Remote Containers
    • External data shown inside places views
    • Sanitization of data? Same as input data from user/web? (bug 405922)
    • No visual identification that they're different from local folders (bug 405921)
  • Assuming Fx is only writer to places.sqlite (bug 405923)
    • Extensions can write to it
    • External apps
    • Any solution to this should be application wide, not just places
  • Place URIs in content? moz-anno? (bug 405924)
  • Increased risk from having more history
    • TODO: document the changes, the toggles, and the elevated risk.
  • Updating to latest SQLite (bug 393959)
    • Need to maintain downrev ourselves if we can't upgrade, even if painful
    • SQLite is moving fast, not maintaining stable branches
  • Secure deletes (bug 405925)
    • SQLite impl, not ours
    • Mil-spec level disk sanitation overkill?
    • Vlad's async write implementation moots sync write configuration
    • Possibly data thought deleted in journal after a crash
  • Externally manipulated visit counts (bug 405854)
    • Malicious script bumping up visit counts to push URIs up in autocomplete
    • Window: could only count typed or clicked as visits
    • Not using the rollup count for Places autocomplete right now (note: we checked after the meeting, and we actually are)
    • Johnath: visit count is visible in page info (for site domain, not URI)
    • Visit count is visible in organizer
    • Page-info does use hostname, not just domain name
  • Scrolling to matched terms in URLs in autocomplete
    • Phishing risk?
    • Should make hostname always visible
    • This feature is not actually implemented yet.
    • Should split so hostname is always visible
    • TODO: make a note on that bug
  • Javascript/data URIs in the sidebar? (bug 405926)
  • Feed sanitization (bug 405927)
    • How sanitized now? whitelist based?
    • TODO: confirm whitelist
    • Feed items that are bookmarklets or data uris
      • TODO: confirm in feeds code
      • TODO: if we do drop bad entries, need to document that
  • Feed items in autocomplete?
    • mconnor: doctor grp w/ bookmarks in livemarks, and hostname changes regularly, might want livemark items in AC
    • Maybe show livemark item icon instead of star?
    • Maybe have a pref to cover this edge case?
  • JSON in copy/paste (bug 405929)
    • If a script could inject JSON data in our format w/ our mime-type into the clipboard, and then get the user to paste while in the Places organizer, could get data into the db
    • Relying on crockford's sanitization code
    • Will soon be using JSON for filesystem backup/restore
    • Executes in a sandbox
  • Favicon content
    • Window: only images for favicons?
      • Potentially svg
    • Seth: tab favicon might be different from location bar favicon
      • Different code paths in chrome than in content for this
      • Mconnor: Image decoder used for both content and chrome at the display level
    • Window: what do we do w/ malformed image data?
      • Mconnor: decoder should throw it away (confirm)
  • Post URIs (bug 94514)
    • Should mark them as hidden
    • Should not increase visit counts