Closed jvehent closed 2 years ago
Also noting that nsp has changed hands and we probably want to switch to npm audit
:
https://docs.npmjs.com/getting-started/running-a-security-audit
A kind of naive question on npm audit
: It has found some issues in nested dependencies of dev dependencies. How should we handle these when the upstream projects haven't upgraded? Concerned that if we strictly fail the CI build on this, it effectively halts builds until other projects update.
➜ watchdog-proxy git:(3-process-queue) ✗ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.2.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/593 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nsp [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nsp > cli-table2 > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ onchange [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ onchange > chokidar > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
[!] 3 vulnerabilities found - Packages audited: 4583 (4480 dev, 111 optional)
Severity: 2 Low | 1 High
Per https://blog.npmjs.org/post/173719309445/npm-audit-identify-and-fix-insecure
What if I’m using a previous version of npm?
npm audit is available in npm@5.10.0 and npm@6. Prior versions of npm will receive vulnerability messages similar to the following:
npm-notice: [SECURITY] marked has 3 high, and 2 moderate vulnerabilities. Go here for more details: https://nodesecurity.io/advisories?search=marked&version=0.3.0 - Run
npm i npm@latest -g
to upgrade your npm version, and thennpm audit
to get more info.We’re not aware of any third-party registry clients that currently support displaying the npm-notify header, so users of these tools will not receive vulnerability messages. For maximum protection against unsafe code, all users should use npm@6.
Looks like the latest Node 8.11.1 comes w/ npm@5.6.0. Heck, even the latest node 10.1.0 comes w/ the older npm@5.6.0, so we'd have to manually install npm@5.10+ or npm@6.
Also, doesn't look like we can currently ask npm audit
to ignore devDependencies (per npm/npm #20564).
Also also, doesn't look like you can currently have a list of exceptions (per npm/npm #20565).
Took another swing through the checklist - I think most things are covered off with the exception of things to handle during prod / stage deployment. A few remaining questions:
For summary clarification: This project is a server-to-server API with no end-user web UI beyond AWS admin pages. A Mozilla consumer site POSTs submissions to a rate limiting queue, which POSTs to an external web service and then POSTs results back to the consumer site.
Amazon CloudWatch logging is used, do we need mozlog?
Ideally we'd want mozlog here, this would save us from having to write a new decoder for the log data.
Since the log data is in CloudWatch we will likely want to look at hooking that feed up to a Kinesis stream for consumption as part of the stack deployment.
The RRA for watchdog has been completed
No admin panels, so I'm checking those boxes off
Since the log data is in CloudWatch we will likely want to look at hooking that feed up to a Kinesis stream for consumption as part of the stack deployment.
@ameihm0912 I'm not sure the details of that. Is it instead of us converting the application to use mozlog or in addition to?
Just saw HSTS filed as a separate issue (#191) - but do we actually need HSTS here? This isn't a service or site intended for use in a browser, and HSTS looks like it's intended to tell browsers to upgrade from HTTP to HTTPS connections. This is a server-to-server microservice, so we should probably just deny http connections altogether (if we're not already)
Also there are still other open questions on this issue for remaining checkboxes. Not sure who to ping about them. /cc @jvehent? @ameihm0912?
@clouserw @lmorchard the thought here was to get a feed of log data from the service we can analyze for abuse. Getting the feed is probably more important than the mozlog conversion; I can create a bug for this.
I checked off HSTS here, in favor of #191
I filed https://github.com/mozilla-services/foxsec/issues/1074 to check off the inform checkbox.
@oremj: Are you able to confirm:
@jvehent / @moz-jvehent
We're using Amazon's CloudWatch. Do we need mozlog?
Yes. Mozlog is the format, cloudwatch is the transport/storage. Ultimately, we want those logs to be treated like standard application logs.
Do we need to run the security baseline w/ @psiinon? This is an internal API Do we need an OpenAPI resource here? Again, this is an internal API
No. You may if you want to, but those recommendations are primarily for public endpoints.
I filed #196 to use the mozlog format and I'll check it off the list above
@oremj . Are you able to confirm?
I will double check log retention.
I'm not up to date on Modern/Intermediate TLS definitions, but here is the current state: https://www.ssllabs.com/ssltest/analyze.html?d=watchdog-proxy.services.mozilla.com&hideResults=on&latest
Thanks jeremy. @jvehent that ssllabs link seems to think we're doing alright. Would you confirm we're using modern TLS? ^
You're on intermediate TLS, which is good enough.
- Mozilla evaluation: intermediate
The logs are currently going to cloudwatch logs and sticking around for longer than 90 days. We need to figure out a way to find the new log groups that spin up and set an expiration on them.
How critical is this?
Risk Management
Infrastructure
strict-transport-security: max-age=31536000
services.mozilla.com
, it must be manually added to Firefox's preloaded pins.Development
nsp check
for node.js (see usage in FxA and screenshots)pip list --outdated
or requires.io or pyup outdated checkscargo update
and cargo upgrade when changing versionsDual Sign Off
Logging
Security Headers
Must have a CSP witha report-uri pointing to the service's own/__cspreport__
endpointweb API responses should returndefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__
to disallowing all content rendering, framing, and report violationsif default-src is notnone
, frame-src, and object-src should benone
or only allow specific originsno use of unsafe-inline or unsafe-eval in script-src, style-src, and img-srcSet the Secure and HTTPOnly flags on Cookies, and use sensible ExpirationMake sure your application gets an A+ on the Mozilla ObservatorySecurity Features
Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation reviewextensions.webextensions.restrictedDomains
. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.Databases
All SQL queries must be parameterized, not concatenatedCommon issues
User data must be escaped for the right context prior to reflecting itApply sensible limits to user inputs, see input validationIf handling cryptographic keys, must have a mechanism to handle quarterly key rotationstarget="_blank"
in external links unless you also userel="noopener noreferrer"
(to prevent Reverse Tabnabbing)cc @ameihm0912 to run the RRA