Security/Reviews/Gaia/Calendar-2013-10-17

From MozillaWiki
< Security‎ | Reviews‎ | Gaia
Jump to: navigation, search

App Review Details

Please see page history for details of previous reviews

Overview

The Firefox OS calendar app allows to synchronize to Google, Yahoo and CalDav calendars. You can create new events, set a reminder, choose when to synchronize the data. Events can be displayed per Day, Week or Month. You can slide between months.

Architecture

The Calendar App is a model-view-controller project based on the expressjs web application framework (http://expressjs.com/)

provider - A provider object serves as a representation of the server state. Data generated by a provider will map to one or more local "stores". provider/abstract.js contains the API which providers /must/ implement.

store - A store object maps an abstract set of data stores to the different db models. The API contract is defined in store/abstract.js . Providers and other calendar code interact with the DBs through the store API. The store is responsible for transforming calendar operations into a set of DB transactions / manipulations.

db - The DBs used are IndexedDBs. db.js contains functions to open, close, upgrade and manipulate the underlying IndexedDB. This can be seen as the low level shim, whereas the store files operate at a higher level

Components

index.html - The main UI for the application elements - The UI for settings, account forms, etc, included in index.html caldav_worker.js

js/ - The code for the Calendar core features js/ext/ - Third party libraries: caldav.js (XML Parser for CalDav protocol, adapted from from the sax-js library), ical.js (iCalendar format), uuid.js (UUID generation)

Relevant Source Code

Source code can be found at https://github.com/mozilla-b2g/gaia/tree/master/apps/calendar

Permissions

  • "systemXHR":{},
  • "settings":{ "access": "readonly" },
  • "alarms":{},
  • "browser":{} - Required to open a window for OAuth authentication
  • "storage":{},
  • "desktop-notification":{}


Web Activity Handlers

None

System Messages

 "messages": [
    { "alarm": "/index.html" }
 ]

The calendar installs a handler for the following:

  • alarm

Notifications

The app indirectly creates notifications through the alarm API.

Post Messages

The following code files use postMessage for communicating:

  • js/worker/manager.js
  • js/worker/thread.js
  • js/calendar.js

This communication appears to be internal only. calendar.js uses postMessage but only responds to messages from itself.


Web Activity Usage

None

Notable Event Handlers

Code Review Notes

The calendar doesn't handle any web activities and has limited interaction with other apps. Calendar does extend the alarms API / db for non-phone devices.

1. XSS & HTML Injection attacks

None found. There two main injection vectors for the Calendar app 1. user input when creating events 2. Synced data from external calendars

Manual entry of bad data into the Calendar app and syncing of bad data was performed. Template input is sufficiently escaped by the 'h' function in template.js . This function performs a regex check for HTML characters mathcing the regex /[&<>"'`]/ then escapes single and double-quotes. The corresponding template files in templates/ call either 'h', 's', 'bool' or 'l10n' to convert / escape data before display.

I've also tried to perform XML injection by exploiting the CalDav XML Parser and/or injecting code in iCal data: strings seem properly escaped, and attempts to perform an XXE failed. Basically, the parser falls into a "strictFail()" method each time malformed data are parsed.

2. Secure Communications

Remote Services

The Calendar talks to remote servers. There are currently presets for the SSL versions of Google and Yahoo calendars. However a user may specify their own CalDav or Local calendar instance. There is some risk if the user specifies a HTTP endpoint instead of HTTPS. The app does not perform SSL certificate checks, however gecko will error on a certificate error.

ext/caldav.js and service/caldav.js perform XHR requests to synchronize calendars. The options are set in service/caldav.js and transmitted to the caldav ext library:

var xhrOpts = {

 /** system is required for cross domain XHR  */
 mozSystem: true,
 /** mozAnon is required to avoid system level popups on 401 status */
 mozAnon: true,
 /** enables use of mozilla only streaming api's when available */
 useMozChunkedText: true

}

3. (Secure) data storage

All data is stored in one of a couple IndexedDBs. The code looks okay.

4. Denial of Service

Some DoS attacks may be possible during sync. See Actions & Recommendations section.

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

No interface is exposed to other applications.

Security Risks & Mitigating Controls

The code from js/ext/caldav.js is adapted from the sax-js parser from https://github.com/isaacs/sax-js/. Some relatively recent commits might be worth applying:

Actions & Recommendations

Two DoS attack vectors were found: