Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL that loads .ksy file(s) to IDE #124

Open
scottprahl opened this issue Mar 15, 2021 · 3 comments
Open

URL that loads .ksy file(s) to IDE #124

scottprahl opened this issue Mar 15, 2021 · 3 comments
Labels
new feature

Comments

@scottprahl
Copy link

I would like to request an enhancement so that a link could be created that automatically loads files to the Kaitai Web IDE. Something like

https://ide.kaitai.io?url1=https://github.com/scottprahl/RigolWFM/ksy/wfm1000e.ksy&url2=https://github.com/scottprahl/RigolWFM/wfm/DS1000E-A.wfm

A single click would allow users to open the IDE with all the needed files to start working.

Thanks
@koczkatamas
Copy link
Member

koczkatamas commented Mar 16, 2021
edited
Loading

One security aspect which should be considered regarding this request (which was one of the reasons I did not implement this functionality yet):

  • if we plan any feature where the WebIDE stores some secret (e.g. Github integration & GH token)
  • AND we don't sandbox the ksy generation / binary parsing functionality
  • AND a malicious party can create a ksy file which will cause RCE (e.g. using our expression language)

then this functionality will change the attack scenario from tricking the user into opening an unknown .ksy file into a 1-click RCE (using e.g. a link shortener service to hide the URL).

I know that there is a lots of IFs and ANDs in the statements above, but I still think this aspect should also be considered compared to the gains what we get from the better UX / usability (which can be a killer feature of-course).

Note: the WebIDE v2 (which is not under development currently AFAIK) planned to support both GH integration & sandboxing, so this would not be an issue there.

@scottprahl
Copy link
Author

One approach would be to mark all files uploaded via URL as tainted and can only be untainted through explicit user interaction.

A second possible approach would be limit access to a directory, for example

https://colab.research.google.com/github/scottprahl/RigolWFM/blob/master

Here Google Colaboratory opens a dialog for the user to select the file to load. This is followed by a stern warning that the original file is not from Google before any execution will take place. This adds at least two more clicks to any RCE :-)

Colab also allows a specific file to be downloaded without the initial file selection dialog.

https://colab.research.google.com/github/scottprahl/RigolWFM/blob/master/docs/1-DS1000C-Waveforms.ipynb

However, they still put up a warning before being able to run the code.

@KOLANICH
Copy link

if we plan any feature where the WebIDE stores some secret (e.g. Github integration & GH token)

To fetch files from GH no token is needed. The files are public info. For using large part of GH API also no token is needed.

Though same-origin policy may be an issue - need to verify if it is the case, but AFAIK GH allows CORS.

AND a malicious party can create a ksy file which will cause RCE (e.g. using our expression language)

A malicious third party can create a ksy with RCE and persuade people to transpile them with JVM version of KSC and then execute the result.

I guess it is enough to

  1. disallow importing to KSC using specially crafted URI. Allow import only from GUI.
  2. Add a big red warning in the GUI.

@generalmimon generalmimon mentioned this issue Dec 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KOLANICH @scottprahl @koczkatamas @generalmimon