Document bookstore threat model, security risks, and mitigations

rgbkrk commented 5 years ago

In order to help folks understand why landing on the bookstore cloning page (served as text/html), we should outline the threat model, security risks, and mitigations.

Summary

Some initial users have complained about having an extra click when cloning. It definitely slows the intended user experience of a smooth way to share notebooks.

We need to mitigate the risk of users loading notebooks that they didn't wish to onto their compute. Since the jupyter notebook server is one big remote code execution platform, the holy grail of security vulnerabilities, we have to be extra vigilant. While there are many other ways to attempt to exploit the overall system, we don't wish for our portion to be a wide attack vector.

Scenario

Malicious notebook is sitting on Bucket MyBucket at path my/notebook/path.ipynb

User is passed a link looking like:

http://localhost:8888/bookstore/clone?s3_bucket=MyBucket&s3_key=my/notebook/path.ipynb

With our current clone page, the user has to decide if they mean to import this notebook.

willingc commented 5 years ago

@rgbkrk I've split this into 2 issues. This issue a more in-depth security doc. #152 a quick mention in the docs.

willingc commented 5 years ago

Draft Outline

Threat model

data flow diagram
places of execution

Security risks

users loading notebooks that they didn't wish to onto their compute
notebooks contain malicious code that could be executed
Jupyter server security reference: https://jupyter-notebook.readthedocs.io/en/stable/security.html
- token
- password
Trust
- command line trust
- when / how

Mitigations

two clicks: why?

nteract / bookstore