Closed lucacasonato closed 5 years ago
Not sure if this is a good idea simply because of custom hosts (Although, not a lot of people use them). Also, don't forget about bitbucket 😛!
As I said in my original comment, this is is and should not be a permanent fix, rather only a temporary solution to a very, very, very big security vulnerability that allows a malicious site to take any data from your system, and potentially read all data that your user uid can access if you have the sail extension installed.
This does not affect the sail cli tho, it only affects the extension, which currently doesn't have support for BitBucket anyways. You should uninstall the extension right now and wait until a patch is released to address this issue - again: I can take over your entire system by you visiting a website and not interacting with it.
As far as I am concerned end user security is far more important than being able to use sail on a custom host github/gitlab instance.
Security is definitely number 1 priority but just wanted to bring up the custom host argument.
I think the best solution for this is to lock to GitHub.com and GitLab.com for now, and then write some sort of settings UI which allows users to approve other hosts.
Actually, maybe the hosts could be stored in sail's config instead of the Chrome extension's config? Sounds like that would be a nicer option. The extension could grab the list of approved hosts on startup.
Definitely needs to be discussed in a new issue.
Once this is merged and updated on the web store, we need to begin designing and working on the "host approval" mechanism.
Fix security issue for users of the sail extension described in these comments: https://github.com/cdr/sail/issues/162#issuecomment-504242822 and https://github.com/cdr/sail/issues/162#issuecomment-504441471. by injecting content script only in github and gitlab. This should only be a temporary fix until a better solution can be found.
Main issue revolves around any page with an input with id
http_project_clone
, a div with classproject-repo-buttons
and a bit of styling being able to sneakily open sail without user consent and knowledge. If you extend this by using a container that does not have code-server installed but rather some malicious package that hosts on the same port, you could instantly close the opened chrome window. That way you can start a container in the background without the user knowing.Basic demo here - this opens https://github.com/github/personal-website repo without any user interaction.