counter-spells
KEEPING YOUR APPLICATION SAFE
and the art of
Slide 2
Slide 2 text
IN WHICH I REALLY WISH
I DON’T DIE
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
story time
Slide 5
Slide 5 text
55 authors
665 commits to master
750 commits to all branches
March 20, 2017 – April 20, 2017
1,967 file changes
29,064 additions / 21,314 deletions
shipping to prod > 100times a day
Slide 6
Slide 6 text
real-time editor that allows HTML input
data sanitization is required
⚡
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
[ browsers are wonderful and weird ]
( really really weird )
Slide 9
Slide 9 text
[ .href can sometimes be undefined even if
present ]
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
[ know your enemy. ]
( and that might not always be just users )
Slide 13
Slide 13 text
prepare for battle
[ prepare your spells. ]
Slide 14
Slide 14 text
[ code that deals with weirdness better ]
[ detect & alert on weirdness ]
Slide 15
Slide 15 text
HTML
templates
JavaScript
controllers
components
Slide 16
Slide 16 text
Html Escaping
Hypertextescaptus
(hyper-text-ESC-aptus )
web framework’s rendering layer
escape HTML
H
Use for protection against XSS
Slide 17
Slide 17 text
.js
.hbs
.html
Slide 18
Slide 18 text
https://gist.github.com/ingride
Slide 19
Slide 19 text
[ avoid having to decide if html is safe ]
dangerouslySetInnerHTML -
React
htmlSafe in Ember
trustAsHtml - Angular
Slide 20
Slide 20 text
Good Components
BonumPars
(bonum-pars)
GC
make component arguments
not be de-facto public API
smaller components
Slide 21
Slide 21 text
just a simple title a styled message
Slide 22
Slide 22 text
] - title component
] - body component
super-card-component
Slide 23
Slide 23 text
each component decides on implementation while invocation
remains the same
composition instead of inheritance
better encapsulation and clarity
Good Helpers
BonumAuxilium
(bonum-auxilium)
GH
prefer updating the DOM over
returning HTML
Slide 26
Slide 26 text
create a text node
set attributes
append the anchor child element
return the the node
use the DOM to create an element
Slide 27
Slide 27 text
Avoid Triple Curlies
TripliciCrispusExpellus
(Tri-pli-ci-crispus )
using on direct user input can
introduce vulnerabilities
{{{
{{{ = htmlSafe() for templates
Slide 28
Slide 28 text
good helpers +
good components
=
♥
Slide 29
Slide 29 text
Thou Shall Noopen
NoopenerNoreferrerExpellus
(apertus-tour-expellus)
N
always use noopener AND noreferrer
with target=‘_blank’
Slide 30
Slide 30 text
newly opened tab can change the
window.opener.location to a phishing page
window.opener.location is fair game
Firefox uses noreferrer-only until v.52
partial access to the linking page via window.opener
Slide 31
Slide 31 text
static analysers
regexp are evil
watermarks are ♥
Detect & Alert
esLint & template linters
Slide 32
Slide 32 text
use the abstract syntax tree ( AST )
for Mustache: MustacheStatement
target= ‘_blank’ / elements : ElementNode & node attributes
plug it in with your cli
Slide 33
Slide 33 text
https://github.com/rwjblue/ember-template-lint
Slide 34
Slide 34 text
story time
Slide 35
Slide 35 text
[ before esLint there was…
grep]
Slide 36
Slide 36 text
postBuild hook to get real-time feedback
find + grep + regexp + wc to get the count
compare the count against a static limit
fail the build if numbers don’t match
Slide 37
Slide 37 text
[ regexp are like black magic. They're
powerful & get the job done, but you
also fear them and might have to sell
your soul in the process ]
[ regexp rage by ingride ]
Slide 38
Slide 38 text
EsLint
BonumLintum
(bonum-LINT-um)
EL
Introduce a line in the sand
for blacklisted methods
Use linters for real-time feedback
in dev
Slide 39
Slide 39 text
esLint plugin with a custom rule that
checks for blacklisted methods
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
esLint CLI + custom rule to get the count
fail the build if errorCount > max allowed
enable esLint cache for increased performance
integration with ember-cli
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
from ♥
with
[ blacklist methods addon coming soon ]
Slide 44
Slide 44 text
Content Security Policy
SecuritasContentus
(SECUR-itas-kontent-us )
mitigates XSS & data-injection attacks
CSP
use to whitelist "safe" script hosts
use v2 and v3 only
use with hash-source & nonce-source
Slide 45
Slide 45 text
CSP
Clean
code
Tools
block
deal with
weirdness
alert on
weirdness