Security

[dqu123]

Let's use this as a place to discuss security issues and how we plan on addressing them. Also if you note any security hole you can comment here and link to the code or whatever. I'm actually working on authentication and security for my SURF (in Django), so I'm trying to think about the best way to do things, so I'd like to hear other people's opinions.

My thoughts:

General Exploits

SQL Injection: "Add SQL code to input to take over a db"

Option 1: Secure queries: build into Flask Option 2: Object relational mapper functions for queries

XSS: "Input is printed and renders as html, allowing for javascript to be run"

Sanitize user input, escape

CSRF: "A website uses your browser's cookies to fill out forms for you on another site"

Django has middleware with CSRF tokens that adds a hidden POST variable.

User Security

Brute force password search:

Password Reset:

Should we email a "reset key" and the do the reset through a special link?

Feel free to add any other security issues you know about.

[dqu123]

@periodic1236 @epelz @dkong1796 @alphaz99 @Timeroot @ootks @ChingYunH @RobertEng

[allisonkong]

About SQL injection:

• You can write sqlalchemy queries with the sqlalchemy.text() function that are parameterized, so the parameters are passed in separately, like this:

query = sqlalchemy.text("SELECT user_id FROM members WHERE first_name=:fn AND last_name=:ln")
db.execute(query, fn="Daniel", ln="Kong")

About XSS:

• Flask uses the Jinja2 templating engine which automatically escapes data passed to the template engine. You should read up on how that works, starting here: http://flask.pocoo.org/docs/0.10/templating/#controlling-autoescaping

About authentication:

• The most important thing with authentication is that passwords are stored and compared securely, such that if a database breach were to happen, the hashes of passwords are not useful. This is what I implemented for the Ruddock website: https://github.com/RuddockHouse/RuddockWebsite/pull/65. It's a good place to start thinking about how to do authentication. The reason why it was implemented that way was so that upgrading hashing algorithms is more straightforward. I can definitely discuss this in much more detail if you want to do something similar.
• You will want to enable HTTPS for the site, so passwords are not sent over HTTP in plaintext. I can help with this, but the person you really want to talk to is RuthAnne in IMSS.

[allisonkong]

Also if you want more about SQL injection, see this: https://github.com/ASCIT/Donut/issues/100

[RobertEng]

I talked to RuthAnne this morning about enabling HTTPS. She said it should be fairly easy and emailed me these instructions from the website.

Here are some instructions from the wiki our sysadmins use (obviously don't use "root@caltech.edu" as the email addresss...!). --RA

Create the SSL key

Create the server key either with or without a passphrase:

with passphrase

openssl genrsa -des3 -out server.key 2048

without passphrase

openssl genrsa -out server.key 2048 Save the server.key file.

Create the Certificate Signing Request

Now create the Certificate Signing Request:

openssl req -new -key server.key > server.csr Answer the questions like so:

Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California Locality Name (eg, city) [Newbury]:Pasadena Organization Name (eg, company) [My Company Ltd]:California Institute of Technology Organizational Unit Name (eg, section) []: IMSS Common Name (eg, your name or your server's hostname) []: $fqdn Email Address []:root@caltech.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "Common Name", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.com/, enter "www.foo.com" there.

Get your CSR signed by the Globalsign (or other) certificate authority

E-mail your CSR to security@caltech.edu, along with the PTA you want the fee to be charged to, the number of years you want the certificate for, and let them know who you want it signed by (CIT-signed, Globalsign signed, or some other CA).

security@caltech.edu will mail you back a signed certificate.

Discussion

If you use the cetificate for your HTTP/SMTP server

Reload httpd/restart postfix after installing the certificate file.

If you created a key which has a passphrase

If you created a key which has a passphrase, remember the passphrase; you'll need it in the future when you want to renew the certificate.

You'll need a decrypted PEM version of your RSA private key via to use with Apache. Here's how you make one:

openssl rsa -in server.key -out server.key.unsecure For Apache, use server.key.unsecure for SSLCertificateKeyFile, and the signed certificate from security@caltech.edu as the SSLCertificateFile.

Once you have the cert.crt and cert.key files, you get the corresponding cert.pem (needed for IMAP/POP/SMTP) by doing: cat cert.key cert.crt > cert.pem .

[allisonkong]

Yeah, that's the same thing I did to set up https for Ruddock. Couple things to note:

• They do support 4096 bit keys now
• You don't want to use a passphrase. Otherwise you have to type it in every time you restart apache.
• It's more important that you pay very careful attention to the file permissions for the server's private key (and certificates when you get it signed). They should only be readable by root.

[allisonkong]

From the Ruddock documentation: https://docs.google.com/document/d/1pudZaGvmd5_mBVLMS4HkB5WoW_yXWhD9VyUPPn5_12Q/edit?usp=sharing