Assess safety of website from liquid injections

[Aveline-art]

Overview

As a developer, we must investigate new potential sources of attack, so that we can defend against them.

Action Items

• Read up on this article to understand liquid injections.
• Investigate the sources of our various JSON data that will be displayed on our website.
• Find out how easily it would be for an individual to inject html scripts into the JSON data either on purpose or by accident.
• Conclude whether current measures are enough or if further action should be taken to escape data.
• Look for other sources of external data besides JSON and investigate whether injections are possible.
• Generate a report of your findings as a file in our drive (please put the link in this issue-comment).
  • The report must specify the files, and a copy of the vulnerable lines, if any.
  • It must also provide recommended changes to correct the vulnerability, if any.
• If problems are found, write an issue for another developer to fix the code based on your recommendations.
  • If the fix is too big/complex for one issue, the issue you write should be for another developer instructing them to write an epic and figure out how to break down your recommendations into manageable issues.

Resources/Instructions

Inlining JSON in a Jekyll Liquid Template
escape – Liquid template language
data directory
#2139

[tamara-snyder]

Progress: I've read up on how Liquid injections can occur and located files where data is read from JSONs on the site and whether they use uri_escape. I still need to look through all the JSON data and gain a clearer understanding of how it is used on the site.
Blockers: None
Availability: 4 hours
ETA: April 10, 2022

[tamara-snyder]

Progress: I've checked everywhere that JSON data is used on the site. Everything is covered by uri_escape except for a few spots, and it looks like those render data from an already escaped object (I plan on double-checking this because I'm a little confused right now). As far as I can tell from what I've been reading, since we're not dealing with any HTTP, there's not really any other way for an attack to get through. I'm definitely planning on doing more testing to be sure, though.
Blockers: Just a question: The only content in the external data folder appears to be JSON, which I've already checked. Is there anything else I should be looking for in regards to external data? Thank you!
Availability: 4 hours
ETA: Tuesday, April 12, 2022

[tamara-snyder]

Progress: Just need to finish my write-up. Had some interviews this week, so I didn't have as much time to work on this issue as originally anticipated.
Blockers: None
Availability: 3 hours
ETA: Tuesday, April 19, 2022

[Sparky-code]

Good Morning @tamara-snyder Write up looks good, I really don't know much about liquid so it was cool to learn some things. I added a couple comments that might be helpful for organization / clarification but over all, great job!

[github-actions]

@tamara-snyder

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures: "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

_{You are receiving this comment because your last comment was before Tuesday, April 26, 2022 at 12:21 AM PST.}

[tamara-snyder]

Progress: I need to make updates according to the feedback in the Google doc.
Blockers: None
Availability: Monday morning, 2 hours (traveling this weekend)
ETA: 05/03/2022

[github-actions]

@tamara-snyder

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures: "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

_{You are receiving this comment because your last comment was before Tuesday, May 10, 2022 at 12:23 AM PST.}

[tamara-snyder]

@Sparky-code @JessicaLucindaCheng Thank you both for your feedback on this doc! I've edited it based on your comments and left a clarification question for Devin. Would love to get a re-review when you get the chance.

[Sparky-code]

@tamara-snyder Sounds great, I'll take a look in the timeframe below
Avail: 1-2hrs
ETA: 5/18-19 EOD

[tamara-snyder]

@Sparky-code @JessicaLucindaCheng I believe I have resolved Devin's last comment. If you get a chance, a final review of the doc would be helpful. In the meantime, I can get to work writing the issues to make these fixes. Realistically, that will probably be done next week.

[Sparky-code]

@tamara-snyder looks great! Reads very clearly now. 👍

[JessicaLucindaCheng]

@tamara-snyder Sorry for the delay in reviewing your write up again. Everything looks good now. The write up is clear and concise. Good job.

[github-actions]

@tamara-snyder

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures: "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

_{You are receiving this comment because your last comment was before Tuesday, May 31, 2022 at 12:19 AM PST.}

[tamara-snyder]

Progress: Just need to write the issues. Haven't had time this week and I'm traveling the next couple days, so will work on this next week.
Blockers: None
Availability: 3 hours
ETA: Friday, June 10, 2022

[tamara-snyder]

• Progress: I've created Refactor code in current-projects.js to avoid Liquid injection vulnerability #3257 to resolve my findings.
  Blockers: Now I just need someone to review it!
  Availability: 1 hour
  ETA: Thursday, June 23

[github-actions]

@tamara-snyder

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

_{You are receiving this comment because your last comment was before Tuesday, June 21, 2022 at 12:20 AM PST.}

[tamara-snyder]

My issue has been reviewed, edited, and approved by two people, so I am closing this issue.