search

rawpython / remi

Python REMote Interface library. Platform independent. In about 100 Kbytes, perfect for your diet.
Apache License 2.0
3.51k stars 401 forks source link

security and remi on production server #476

Closed Wouter1 closed 1 year ago

Wouter1 commented 2 years ago

I read on the main page the quote below. This is a deal breaker, because writing a web application is, in the end, to put on the web...

Is it possible to make this more secure? Or, what the tips like "not expose its access" or "when loading data from external sources" actually implies? How would I even know what Remi accesses internally regarding external sources?

May I suggest giving examples on how to actually do this?

Remi should be intended as a standard desktop GUI framework. The library itself doesn't implement security strategies, and so it is advised to not expose its access to unsafe public networks.

When loading data from external sources, consider protecting the application from potential javascript injection before displaying the content directly."

Wouter1 commented 2 years ago

Not sure if it helps, but I got a message from the security team indicating that a Nessus scan showed issues with the Remi application. My aplication itself is a very simple page with a few buttons and combo boxes only.. Hard to imagine at this level what a Nessus securtiy error even means.

awesomebytes commented 2 years ago

I may be wrong, but my belief is that this project aims to provide a way to make apps to control or monitor things in a controlled environment. Kind of a development or debugging interface. Not a real website for the world to visit. I think of an intranet configuration interface or a robot management interface.

I haven't followed the changes on the codebase for a while, however, my understanding is that the interface is created by injecting JavaScript (which makes the system really flexible to do anything you want). Which may need a fair amount of sanity checking to avoid the possibility of misuse.

If you plan to do web development, this is not really for web development, I see it more of a Qt/Tinker library that can run on the browser and has a quite simple API.

On Mon, Dec 13, 2021, 23:56 Wouter1 @.***> wrote:

Not sure if it helps, but I got a message from the security team indicating that a Nessus scan showed issues with the Remi application. My aplication itself is a very simple page with a few buttons and combo boxes only.. Hard to imagine at this level what a Nessus securtiy error even means.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dddomodossola/remi/issues/476#issuecomment-992449966, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANEK5AFN2DUVEEGO755GE3UQXUPTANCNFSM5J6B4LIQ .

Wouter1 commented 2 years ago

@awesomebytes
For me the idea is that you can make an application that runs both standalone (=secure, special users, and for testing) and can be deployed (for general use/demos/SAS etc).

I don't want to do "web development". I'm writing a simple app, not a web system. That's why this tool seemed so useful. It takes away all that "web development" stuff (servers, browsers, server/client side stuff, etc etc) that I don't care about for this project.

dddomodossola commented 2 years ago

You are both right my friends. Remi is not intended to make websites. It is made for local or intranet interfaces. So, it is safe to use it in a safe network. To use it remotely consider using a VPN, a proxy and so on to obfuscate and protect the server.

Wouter1 commented 2 years ago

@dddomodossola thanks.

Can you clarify a bit further? I'm primarily cncerned with security on the server side. I have this simple app with a few buttons and text input fields. The text is processed on the server, in python, to extract some features. If we would use a VPN or proxy as you suggest, would it really be secure or just that it looks superficially to be more safe? So, would the inherently unsafe calls still be possible? If the VPN or proxy alleviates this, would we need specific settings or filters somewhere? What configuration are you thinking of?

dddomodossola commented 2 years ago

@Wouter1 using a VPN you makes the application accessible only by trusted clients, so the security is implicit. Nonetheless, you can limit the application to be accessible only on local machine, by configuring a server address as 127.0.0.1 .

Wouter1 commented 2 years ago

@dddomodossola It seems there is a misunderstanding. By "putting it on the web" I do mean public. And certainly not localhost.

So there is no "trusted client" at all.

dddomodossola commented 2 years ago

@Wouter1 ok I understand, but remi is not intended to be used this way. I'm afraid, you need a website in this case.