mengwong
commented
8 years ago the google security model may have matured since this issue was created, making it easier to work on this issue.
Open mengwong opened 8 years ago
mengwong
commented
8 years ago the google security model may have matured since this issue was created, making it easier to work on this issue.
right now when the script asks for authorization it asks for pretty much pwnage-level access to the user's entire google account.
reduce the security threat surface -- find a way to make this work with OnlyCurrentDoc. https://developers.google.com/apps-script/guides/services/authorization
the risk is that a malicious commit on the legalese codebase will embed undesirable content in an xml template file which then runs with user permissions with access to all the user's docs. this is clearly undesirable.
a functionally equivalent man-in-the-middle attack would intercept the UrlFetch() operation and return a malicious XML template file, either attacking obtainTemplate or INCLUDE(Available Templates).
lodging the XML templates inside the app itself is a seemingly attractive alternative, but it reduces to the same threat scenario because that data has to populate from somewhere in the first place.
we should require that all committers with access to GitHub must have 2FA.
ideally we would reduce the authorization scope of this script to only the current doc. but we need a way to share the resulting PDF with the user without access to everything in Drive!