RolandASc
commented
2 years ago Doesn't look directly relevant to us in a number of ways.
For the record, we have refrained from any functionality where the user could provide input that should get translated into or evaluated as R code. (SQL we don't do at all.)
My main take-away however would be to review shinyproxy, and see if we would want to upgrade that or potentially even replace / drop it altogether.
Comments on securing OasisUI
Information about both front- and back-end software as well as a version number is presented.
The user interface informs about the use of specific software. It is recommendable to check for available software updates as there are versions of RShiny that come with a path traversal attack vector: https://github.com/colemanjp/rstudio-shiny-server-directory-traversal-source-code-leak
It was not possible to exploit this potential vulnerability during test time. This source could be interesting for the development department as it refers to a relevant security discussion on part of RShiny: https://mastering-shiny.org/scaling-security.html We recommend the introduction of a dependency management system for keeping software up to date. In case this has not been implemented yet, it is highly recommendable to implement one or to revise the existing system.