server implementation should have rudimentary security :)

tomimick / chrome-ext-save-css

Chrome extension to automatically save changes in CSS and JS into local disk.

http://tomicloud.com

29 stars 5 forks source link

server implementation should have rudimentary security :) #5

Open jamie-pate opened 12 years ago

jamie-pate commented 12 years ago

as I currently read server.py, this will write the file anywhere on the host machine? with the only security being that it's bound to localhost.

I have least added a regex match on the path

if re.match('^/path/to/chroot/jail',fpath)

a password might be nice too, otherwise anyone could just write a web app that fishes for this server and start writing stuff all over

tomimick commented 12 years ago

Yep, didn't implement much security as this is a power tool for smart developers who should know what they run :) Ease of use over security.

However, security could be improved by

run script as low privileged user "sudo lowuser python server.py"
chroot the script
check the path like you suggest

I have coded the last two mechanism as optionals to the upcoming 1.0.2 script.

jamie-pate commented 12 years ago

a simple key or password would probably be nice too. path checking will prevent most fishing, but if the fisherman can guess your development path, they could poison your code with all sorts of exploits.

tomimick commented 12 years ago

I think password auth would be overkill for this tool, and I'm feeling too lazy to implement it now...