Internal security code review

SAP / spartacus

Spartacus is a lean, Angular-based JavaScript storefront for SAP Commerce Cloud that communicates exclusively through the Commerce REST API.

Apache License 2.0

740 stars 384 forks source link

Internal security code review #3031

Closed dunqan closed 3 years ago

dunqan commented 5 years ago

Perform an internal security audit before 1.0 release, including: 1) Review code for possible security threats (XSS / proper sanitization, not using JIT, 2) Make sure any security sensitive code is justified and properly guarded 3) Check if Angular built-in XSSI/XSRF protection is not mitigated in any way 4) Review package dependencies for security risk

marlass commented 5 years ago

Quick check:

No usage of bypassSecurity* methods [innerHTML] used for HTML content, so it is sanitized
Did yarn audit. 3 warnings found (none of it is dangerous - vulnerabilities in our documentation tool and i18n linter)

Will look more into the code later.

Xymmer commented 5 years ago

would checkmarx and sonarqube cover these reviews?

giancorderoortiz commented 3 years ago

Threat modelling methodology applied extensively throughout key features of product. Closing ticket.