I've filled out the security review form (below) as it relates to the EventGate codebase and service(s), but what we are mostly looking for is a security review of our usage of AJV:
We are proceeding with a new nodejs based stream intake service (EventGate) in T206815. We are planning to use Ajv to do JSONSchema event validation. "Ajv generates code using doT templates to turn JSON Schemas into super-fast validation functions".
We have control over the schemas that will be used by this service, and there will be restrictions on what JSONSchema features can and cannot be used in our schemas. Even so, the fact that this service will look up JSONSchemas based on incoming (user supplied) URIs means that we need to be very careful about what we ask Ajv to do. We think that by restricting the URIs from which this service is allowed to download JSONSchemas we can avoid potential security issues with Ajv code generation, but we should do a security review of this plan with security engineers to see what they think.
Project Information
- Name of tool/project: EventGate
- Project home page: https://phabricator.wikimedia.org/T201068
- Name of team requesting review: Analytics Engineering & Core Platform
- Primary contact: Andrew Otto
- Target date for deployment: February 2019
- Link to code repository / patchset: https://github.com/wikimedia/eventgate
Description of the tool/project
EventGate takes in JSON events via HTTP POST, validates against a JSONSchema and then produces them to a pluggable destination (usually to Kafka).
Description of how the tool will be used at WMF
EventGate will replace our usages of EventLogging for Analytics and the production EventLogging EventBus service, allowing us to unify our event intake systems.
Dependencies
None.
Has this project been reviewed before?
No.
Working test environment
With nodejs 10 and npm installed:
git clone https://github.com/wikimedia/eventgate.git cd eventgate npm test
Post-deployment
Analytics Engineering & Core Platform - Andrew Otto
TODOs from Security Review Comment
In T208251#4936690, @sbassett wrote:
Vulnerable/Outdated JavaScript Packages
-
swagger-ui < 3.4.2- WON'T FIX: needs fixed in service-template-node - lodash <= 4.17.5
- cassandra-uuid
- eslint-config-wikimedia
- eslint-plugin-jsdoc
-
jquery 1.8.0.min- WON'T FIX: needs fixed in service-template-node via swagger-ui update -
jquery 1.7.1 (clarinet/test/lib/jquery.js)- WON'T FIX: test depenency -
jquery 1.9.1 (domino/test/fixture/jquery-1.9.1.js)- WON'T FIX: test depenency -
jquery 2.2.0 (domino/test/fixture/jquery-2.2.0.js)- WON'T FIX: test depenency
DoS Vectors
- Ajv
- ReDoS - open issue - We won't allow these types of features in our schemas.
Proxy Issues
- there are potential issues around this app requesting external schema URLs. - Restricting to controlled domains.
Security Headers
- media-src *; img-src *; style-src *; csp directives for the x-webkit-csp and x-content-security-policy` headers might be overly-permissive within the context of a ervice-based app with a single POST endpoint. Risk: Low - Using default-self by removing csp from configs.
- * for the access-control-allow-origin CORS header might also be verly-permissive within the context of this application. Risk: Low - Set cors: false
Non-Security Quibbles
-
I'm not sure why dist/init-scripts/sysvinit.erb has an erb extension when it ooks to be a shell script.- WON'T FIX: needs fixed in service-template-node