Page MenuHomePhabricator

Restrict outgoing network connections from Electron render service
Closed, ResolvedPublic

Description

As part of its task of rendering web pages to PDF, Electron / Chrome loads linked resources like images, stylesheet and scripts from the network. While the sanitized HTML we will render should not contain references to private IPs, we should rely on this as the sole protection.

An option for restricting access from this service to public IPs would be to set up an iptables rule matching on the service user, and dropping any requests to the private production IPs. Examples: iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 .., man page.

Another might be to use a proxy, although this would likely affect performance negatively.

Related Objects

StatusAssignedTask
ResolvedJhernandez
Resolved atgo
DeclinedNone
ResolvedNone
DeclinedNone
OpenJKatzWMF
StalledNone
ResolvedWMDE-Fisch
ResolvedAddshore
InvalidNone
InvalidNone
ResolvedTobi_WMDE_SW
ResolvedTobi_WMDE_SW
Resolvedgabriel-wmde
ResolvedAddshore
ResolvedTobi_WMDE_SW
ResolvedTobi_WMDE_SW
ResolvedTobi_WMDE_SW
DeclinedNone
ResolvedTobi_WMDE_SW
Resolved GWicke
Resolved dpatrick
Resolved Lea_WMDE
ResolvedAddshore

Event Timeline

Just following up on some lingering security reviews. I know that this service has been deployed. Do we have appropriate firejail and iptables rules in place now to restrict egress?

Just following up on some lingering security reviews. I know that this service has been deployed. Do we have appropriate firejail and iptables rules in place now to restrict egress?

The service cannot establish any connections outside of the production environment because it does not contact the production proxy, so any attempt to request an external resource will simply time out.

dpatrick closed this task as Resolved.Nov 22 2017, 6:33 PM
dpatrick claimed this task.

Just following up on some lingering security reviews. I know that this service has been deployed. Do we have appropriate firejail and iptables rules in place now to restrict egress?

The service cannot establish any connections outside of the production environment because it does not contact the production proxy, so any attempt to request an external resource will simply time out.

Thanks Marko. That works. I'll close this ticket.