Swank Wiki
Recently Visited

Swank v0.04.04

Security

The scripting in this wiki is done with perl embedded in the wiki pages.

That means we are running untrusted perl code entered by the user.

While this is great for rapid development, this makes the security situation a "disaster waiting to happen."

It cannot stay that way in the beta version, so there are plans to change the situation in the future.

Mitigation

In the meantime, these are the measures taken to mitigate the security threats.

First, only users in the admin group are allowed write access to any pages containing perl code.  All perl code is within [ % tags % ], so we check for those and do not allow other uses to edit the page, even if they have edit access otherwise.  We also check for those characters in the input parameters and trigger a security error for non admins.  There may still be devious ways to get the code in, but this closes the obvious threat.  Make sure only users you trust have admin access.

See /todo/43 for notes on the security audit.

Running the webserver in a chroot jail or virtual machine is always a good idea.

Future Plans

For a secure product, perl will not work as an untrusted scripting language.  Any method of making something safe or even read-only, has another method of escaping from the cage.  Perl's flexibility is a great strength, but we do not want untrusted users to have access to all that power.

The solution is to do scripting in another language, so we can control what it can do and what it has access to.  The obvious candidates are the same solutions others have used: server side javascript, and a custom macro language.  There is a perl module for running javascript, so that will facilitate doing that.  I have no plans for a formal macro language, but I expect an informal one to grow out of the calling of other pages to do things.