Add doc entry about security considerations of nodecg-io #143
Conversation
|
|
||
| 1. No service configuration is accessible to someone with only filesystem access. | ||
| - A exception to this is a nodecg-io install with automatic login as the password is stored in plain text. | ||
| 2. No bundle will be able to access your plain text password. |
There was a problem hiding this comment.
This seems to contradict point 3. Did you mean not loaded bundle?
There was a problem hiding this comment.
The plain text password is only stored inside the nodecg-io dashboard and not transmitted to the backend and never enters NodeCG.
While writing that I thought this would mean the password is safe but other bundles can obviously also have dashboards, can use window.parent to escape the iframe and then interact with the iframe of our dashboard. From there the password is readable using the HTML input element. So this is sadly not true anymore.
There was a problem hiding this comment.
I've tested it and sadly this works. I've updated this in 55acf4d.
|
|
||
| ## Implementation | ||
|
|
||
| 1. The configuration is stored encrypted only in a NodeCG replicant. If someone reads the persistent value of the replicant from the filesystem the configuration cannot be read because it is encrypted using your chosen password. |
There was a problem hiding this comment.
Can we even provide the encryption method and key length?
| 3. All loaded bundles may change nodecg-io settings like deleting instances | ||
| 4. All loaded bundles may access all your configurations and passwords. | ||
| - It is highly recommended to only use bundles you trust! | ||
| 5. Anyone intercepting network traffic between the NodeCG instance and browser with a logged in dashboard can access all configuration and passwords. |
There was a problem hiding this comment.
Also the usual attacks on the browser window and Keylogger will work. This is not surprising but may be added for comprehensiveness
There was a problem hiding this comment.
Good suggestion! Added in 57b5739
| 1. The configuration is stored encrypted only in a NodeCG replicant. If someone reads the persistent value of the replicant from the filesystem the configuration cannot be read because it is encrypted using your chosen password. | ||
| 2. When you enter your password inside the dashboard it is used to derive a encryption key using argon2id. Only this encryption key is ever transmitted and leaves the browser tab. Therefore other bundles can listen to the communication but it only contains the derived encryption key, not your plain text password. | ||
| 3. Bundles can listen to the login message from the dashboard to get the encryption key. This can be used to send authenticate messages to the nodecg-io-core bundle to add/delete instances, change service instance assignments and do everything that is possible in the dashboard. | ||
| 4. As mentionted in 3 all bundles can get the encryption key. The encrypted configuration is stored in a replicant which can be accessed by all bundles as well. Using these two any bundle could decrypt the configuration and have access to it. |
There was a problem hiding this comment.
Yes, all loaded bundles.
In NodeCG any bundle can listen for any message that is addressed for any other bundle. Meaning you can access all messages .
You can just listen for the login message like this:
nodecg.listenFor("login", "nodecg-io-core", (data) => {/* ... */});The same goes for replicants, which can also be accessed by passing the bundle name in the constructor in any bundle.
We could use asymmetric encryption but again we cannot transmit the public key from the backend to the front end as any bundle could again listen for the same message or modify the replicant and provide its own public key to the dashboard that would use it to encrypt the key on transport.
I'm planning on implementing that anyways as we can try to detect tampering of other bundles which might not be perfect but better than nothing.
…ss the plaintext password
Co-authored-by: Tim <github@timtechdev.de>
|
Thank you very much @TimTechDev |
Adds a documentation entry about our security considerations and tells users what and what not to expect from nodecg-io regarding handling of the entered configuration and credentials.
For codeoverflow-org/nodecg-io#424