Security/Reviews/Gaia/Calendar-2013-10-17
Contents
App Review Details
- App: Calendar
- Follow-up Review Date: 22 Oct 2013
- Latest Commit: https://github.com/mozilla-b2g/gaia/commit/69575e3b40931c1cf2060e812db4b20f81040de5
- Branch Reviewed: master
- Review Lead: Stéphanie Ouillon
Please see page history for details of previous reviews
Overview
The Firefox OS calendar app allows to synchronize to Google, Yahoo and CalDav calendars. You can create new events, set a reminder, choose when to synchronize the data. Events can be displayed per Day, Week or Month. You can slide between months.
Architecture
The Calendar App is a model-view-controller project based on the expressjs web application framework (http://expressjs.com/)
provider - A provider object serves as a representation of the server state. Data generated by a provider will map to one or more local "stores". provider/abstract.js contains the API which providers /must/ implement.
store - A store object maps an abstract set of data stores to the different db models. The API contract is defined in store/abstract.js . Providers and other calendar code interact with the DBs through the store API. The store is responsible for transforming calendar operations into a set of DB transactions / manipulations.
db - The DBs used are IndexedDBs. db.js contains functions to open, close, upgrade and manipulate the underlying IndexedDB. This can be seen as the low level shim, whereas the store files operate at a higher level
Components
index.html - The main UI for the application elements - The UI for settings, account forms, etc, included in index.html caldav_worker.js
js/ - The code for the Calendar core features js/ext/ - Third party libraries: caldav.js (XML Parser for CalDav protocol, adapted from from the sax-js library), ical.js (iCalendar format), uuid.js (UUID generation)
Relevant Source Code
Source code can be found at https://github.com/mozilla-b2g/gaia/tree/master/apps/calendar
Permissions
- "systemXHR":{},
- "settings":{ "access": "readonly" },
- "alarms":{},
- "browser":{} - Required to open a window for OAuth authentication
- "storage":{},
- "desktop-notification":{}
Web Activity Handlers
None
System Messages
"messages": [ { "alarm": "/index.html" } ]
The calendar installs a handler for the following:
- alarm
Notifications
The app indirectly creates notifications through the alarm API.
Post Messages
The following code files use postMessage for communicating:
- js/worker/manager.js
- js/worker/thread.js
- js/calendar.js
This communication appears to be internal only. calendar.js uses postMessage but only responds to messages from itself.
Web Activity Usage
None
Notable Event Handlers
Code Review Notes
The calendar doesn't handle any web activities and has limited interaction with other apps. Calendar does extend the alarms API / db for non-phone devices.
1. XSS & HTML Injection attacks
None found. There two main injection vectors for the Calendar app 1. user input when creating events 2. Synced data from external calendars
Manual entry of bad data into the Calendar app and syncing of bad data was performed. Template input is sufficiently escaped by the 'h' function in template.js . This function performs a regex check for HTML characters mathcing the regex /[&<>"'`]/ then escapes single and double-quotes. The corresponding template files in templates/ call either 'h', 's', 'bool' or 'l10n' to convert / escape data before display.
I've also tried to perform XML injection by exploiting the CalDav XML Parser and/or injecting code in iCal data: strings seem properly escaped, and attempts to perform an XXE failed. Basically, the parser falls into a "strictFail()" method each time malformed data are parsed.
2. Secure Communications
Remote Services
The Calendar talks to remote servers. There are currently presets for the SSL versions of Google and Yahoo calendars. However a user may specify their own CalDav or Local calendar instance. There is some risk if the user specifies a HTTP endpoint instead of HTTPS. The app does not perform SSL certificate checks, however gecko will error on a certificate error.
ext/caldav.js and service/caldav.js perform XHR requests to synchronize calendars. The options are set in service/caldav.js and transmitted to the caldav ext library:
var xhrOpts = {
/** system is required for cross domain XHR */ mozSystem: true, /** mozAnon is required to avoid system level popups on 401 status */ mozAnon: true, /** enables use of mozilla only streaming api's when available */ useMozChunkedText: true
}
3. (Secure) data storage
All data is stored in one of a couple IndexedDBs. The code looks okay.
4. Denial of Service
Some DoS attacks may be possible during sync. See Actions & Recommendations section.
5. Use of Privileged APIs
6. Interfaces with other Apps/Content
No interface is exposed to other applications.
Security Risks & Mitigating Controls
The code from js/ext/caldav.js is adapted from the sax-js parser from https://github.com/isaacs/sax-js/. Some relatively recent commits might be worth applying:
- https://github.com/isaacs/sax-js/commit/67d0edef57d003757566e8886ca0478e909cd3bf
- https://github.com/isaacs/sax-js/commit/3b74c16503572d4216d93c867853fed846cffe55
- https://github.com/isaacs/sax-js/commit/6f760b1f8696c2af5e104ada9b171ebc2206b88c).
Actions & Recommendations
Two DoS attack vectors were found: