assaf / zombie

Insanely fast, full-stack, headless browser testing using node.js
http://zombie.js.org/
MIT License
5.65k stars 518 forks source link

Security issue #1169

Closed lirantal closed 5 years ago

lirantal commented 6 years ago

Hello,

As a member of the Node.js Security WG I would like to draw your attention to a security report that has been made regarding this issue.

I have made attempts to contact the person identified as a maintainer of this package but did not get any answer. What is the best way to reach someone with commit rights over this repo and hopefully npm publishing rights as well, in order to invite them to privately discuss the issue on the HackerOne platform and provide a resolution?

Thanks, Liran.

References:

djanowski commented 6 years ago

I'm a collaborator, contact me at the email address publicly listed on my profile, thanks

On Fri, Aug 10, 2018, 08:12 Liran Tal notifications@github.com wrote:

Hello,

As a member of the Node.js Security WG https://hackerone.com/nodejs-ecosystem I would like to draw your attention to a security report that has been made regarding this issue.

I have made attempts to contact the person identified as a maintainer of this package but did not get any answer. What is the best way to reach someone with commit rights over this repo and hopefully npm publishing rights as well, in order to invite them to privately discuss the issue on the HackerOne platform and provide a resolution?

Thanks, Liran.

References:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/assaf/zombie/issues/1169, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAI3LqNFi3glPXdaHiIOXvmru-wHLCJks5uPWqZgaJpZM4V4BeK .

lirantal commented 6 years ago

@djanowski I invited you to the hackerone platform, you should get an invite in your inbox. Please join and review the report to take action on.

Thanks!

lirantal commented 6 years ago

@djanowski can you please check again your inbox or spam folder for the invite? appreciate it!

lirantal commented 6 years ago

All, @assaf, I'm chiming in on this again as I have disclosed the report (https://hackerone.com/reports/389583) but before it makes it to a CVE that will affect this and future versions of Zombie, would you like to further discuss?

My action item would be that if Zombie can default to not evaluating javascript code when crawling a website then this will be a good security measure. Not sure however what and if this will break existing clients. Can you share your input?

assaf commented 6 years ago

Zombie is “full-stack testing using Node.js”. It’s fit for purpose: use it in your test environment, to run test suites, against your application code.

Zombie is not designed to test adversaries (eg pen tests, web scraping).

If you are testing your application code, that implies components and services you trust. After all, you will be exposing your users to those same URLs!

Since test suites should be fast, isolated, and repeatable, that implies control over the resources used in your tests.

There are various tools that allow you to capture, verify, block, and modify resources. I personally use nock, replay (disclosure: also mine), and sinon. But Zombie will work with many other tools like that.

Following the UNIX philosophy that "tools should do one thing, and do it well,” Zombie does not intend to duplicate features from nock/replay/sinon/etc, but rather be used in combination with these tools

The changes you are suggesting are for offl label use. Zombie does not support the use cases of “untrusted crawled pages.”

TL;DR If you’re using Zombie as intended, as part of a test enviornment that follows best practices, then you have high trust/control over the resources Zombie is using. If you are using Zombie for off label use, please don’t.