command macgap.localfile.read("path/to/file")

[JLarky]

that allows to read files from filesystem as long as filename is whitelisted

One can use that to include user provided css or scripts. Example

webapp:

if (window.macgap.localfile) {
    var json = macgap.localfile.read("~/my_app_userstyle.css");
    if (json) {
        response = $.parseJSON(json);
        if (response && response.content) {
            css = response.content;
            var styleNode = document.createElement('style');
            styleNode.type = "text/css";
            var styleText = document.createTextNode(css);
            styleNode.appendChild(styleText);
            document.getElementsByTagName('head')[0].appendChild(styleNode);
        }
    }
}

and in public/localfiles.whitelist

~/my_app_userstyle.css

[jeff-h]

Hey... nice to see some new code! :)

However, I am wondering whether you couldn't achieve the same result as this using straightforward JavaScript, perhaps in conjunction with macgap.path.application and/or macgap.path.resource?

Also, for reading arbitrary files, as well as a full set of other filesystem commands, I would recommend using NodeLike (https://github.com/node-app/Nodelike) within MacGap, which provides access to a Node.js-compatible fs module and all the filesystem goodies that brings. Check out https://github.com/node-app/macgap. It really does work.

If I'm missing the point, sorry, and please let me know!

[JLarky]

Hi! nice to see someone in business of reviewing stuff ;)

My initial though was that you could achieve that just by macgap.path.resource (although that won't work with ~/something.txt), but I was getting error message Not allowed to load local resource and I see that as legitimate browser behavior, otherwise what would stop me from reading something like ~/.ssh/id_rsa? I was kind of aware of node.js stuff, but I can't see justification for building such infrastructure just to read users' css file :)

[jeff-h]

The general philosophy of security in any desktop app is either

a) conform to sandboxing and be allowed on the Mac App Store or b) access anything anywhere, including .ssh/id_rsa and the works

Since MacGap can be compiled with Sandboxing on, if Sandboxing is on then any attempt to access ~/.ssh/* either by JavaScript or by Objective-C will be refused (unless explicitly granted by the user).

If it's NOT sandboxed, I figure why restrict the JavaScript from doing stuff that Obj-C can do? In other words, why not let JavaScript (running in a desktop app) access ~/.ssh/id_rsa?

Re node.js — do check out Nodelike... it's not node.js but rather a node.js-compatible API, and will only add a few hundred KB to your app size, and still allows Mac App Store submission. It gives you loads of fs stuff. See http://nodejs.org/api/fs.html for the list of commands you get inside MacGap when you compile in Nodelike.

[JLarky]

In other words, why not let JavaScript (running in a desktop app) access ~/.ssh/id_rsa?

because If I have xss hole in webapp I want to limit damage done to website users. I do that by limiting access to public/localfiles.whitelist

And I have no idea how I would sandbox node.js in order to do that, as far as I see it, webapp will have full control of mac app, so it's kind of ultimate case of "arbitrary code execution" I can think of.

[jeff-h]

I see your point now. In my usage of MacGap, I'm running everything locally, and only pulling in very specific JSON data from the web, and being careful what I do with it. Also, I plan on sandboxing my App, which will restrict the potential damage from an XSS attack.

But yes, I agree now, JS being dynamically interpreted rather than compiled means it's possible to get XSS attacks and give them the full power of the MacGap API. I'm think this is an even wider issue for MacGap than just file access? e.g. we can already access the contents of someone's clipboard, and via an XSS attack could send that data anywhere.

Is there some better way of dealing with this at a broad level than by saying "write your JavaScript so you avoid XSS holes"? At the end of the day your "whitelisting" solution, while good for file access, won't be a solution for things like clipboard access, or launching other apps or whatever else we give MacGap apps the power to do.

[JLarky]

Good point. I will look into restricting other functions macgap provides but I actually don't use. My point is that even if users are exposed in one way (say by clipboard) it's no reason to expose them in other like giving ability to read any file.

[jeff-h]

Just not sure where I stand on all this; take node.js for example — that offers a truckload of very deep host access (filesystem, shell environment etc). So if a malicious script managed to inject itself into a node.js app, it could download an app to any location on the user's HD and execute it. It could also send off the contents of any private keys etc etc Even PHP has the same problems (if the PHP environment is set up loose enough).

Thus (as far as I know) the only security option in node.js or PHP etc is "write your code carefully to avoid XSS and other security holes". Am I missing something?

I guess I feel that if it's this way for node.js and PHP etc then I'm less concerned about MacGap (not) handling security in a similar fashion. Is the risk any greater for MacGap than those other environments?

[JLarky]

I guess I feel that if it's this way for node.js and PHP etc then I'm less concerned about MacGap (not) handling security in a similar fashion.

If what you are saying were true no one would bother with sandboxing browsers. you write PHP server in way that limits things attacker could do. Like if they can upload files you do so those files can't be run on server, if you run sql query you write that way that no one could run any query, just specific ones, and so on. This is why I think you should write your mac application in way that if users can read some files they can't read any file.

Is the risk any greater for MacGap than those other environments?

yes. ~/.ssh/id_rsa and ~/.config/google-chrome would be empty for my php server and they would contain all kinds of stuff, say all passwords saved in chrome/firefox password managers, on my personal computer.