Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Audit of WINS form on static site #4588

Closed
1 task
Tracked by #4577
roslynwythe opened this issue May 1, 2023 · 7 comments
Closed
1 task
Tracked by #4577

Security Audit of WINS form on static site #4588

roslynwythe opened this issue May 1, 2023 · 7 comments
Assignees
@roslynwythe
Labels
Complexity: Medium P-Feature: Wins Page https://www.hackforla.org/wins/ role: back end/devOps Tasks for back-end developers size: 1pt Can be done in 4-6 hours To Update ! No update has been provided
Milestone
02. Security

Comments

@roslynwythe
Copy link
Member

roslynwythe commented May 1, 2023
edited
Loading

Overview

As developers we must perform a security audit of the new HTML/JS implementation of the WINS form, in order to determine if use of the form exposes any secrets or exposes any resources to malicious actions.

Details

Action Items

  • Write a Decision Record (DR) documenting the findings. If the wiki is not ready for editing, follow instructions in How to Contribute to the Wiki for drafting the content in a comment in this issue, and then posting a link to the comment in the "How to Contribute to the Wiki" page.

Resources
@roslynwythe roslynwythe added role: back end/devOps Tasks for back-end developers P-Feature: Wins Page https://www.hackforla.org/wins/ role: dev leads Tasks for technical leads labels May 1, 2023
@roslynwythe roslynwythe self-assigned this May 1, 2023
@github-actions

This comment was marked as resolved.

Sign in to view
@roslynwythe roslynwythe added the Draft Issue is still in the process of being created label May 1, 2023
This was referenced May 1, 2023
Closed
Closed
Closed
@roslynwythe roslynwythe changed the title Feasibility of WINS form on static site or Iaas/PaaS server Security Audit of WINS form on static site May 3, 2023
@roslynwythe
Copy link
Member Author

roslynwythe commented May 3, 2023
edited
Loading

@ExperimentsInHonesty I mentioned at our last meeting, that I think there is a security problem with the method used by the custom form; in particular, the form exposes a the URL of an HTTP endpoint which malicious actors could use to populate the response sheet with corrupt data. But I wonder if we should move forward with this issue anyway, so that we have another opinion that is formally documented in a DR. In the issue I mentioned that if the Wiki is not ready for editing, the dev should follow Jessica's interim instructions in "How to Contribute to the Wiki" for posting a comment here in the issue and then simply copying a link to the comment into the list Jessica created.

@roslynwythe roslynwythe added size: 1pt Can be done in 4-6 hours ready for product and removed Draft Issue is still in the process of being created role: dev leads Tasks for technical leads labels May 4, 2023
@ExperimentsInHonesty ExperimentsInHonesty added this to the 02. Security milestone May 7, 2023
@roslynwythe roslynwythe mentioned this issue May 9, 2023
Closed
2 tasks
@JessicaLucindaCheng
Copy link
Member

JessicaLucindaCheng commented May 9, 2023
edited
Loading

@roslynwythe As per the discussion in the 2023-05-08 Dev/PM meeting, change this issue to just write the decision record and you can go ahead and write the decision record in a comment below in this issue.

@roslynwythe
Copy link
Member Author

@JessicaLucindaCheng ok thanks. I've updated the issue

Availability: 5/9 9 - midnight, 5/10 10-4 pm
ETA: EOD 5/12

@roslynwythe
Copy link
Member Author

DR: Adopt the internal "Share your Wins" form in place of the current Google Form

This is a record in the Decision Records on Solutions Not Implemented.

Issue

Problem Statement

Drawbacks of the current Google Form include:

  • lack of integration with the website
  • need to update the form manually with project list changes.
  • user input validation limited to Google Forms methods

Potential Solution

A new "share your Wins" form has been developed which stores response data by sending an HTTP GET request to a web app which is bound to a Google Sheet. The request does not require credentials or API key, however the web app endpoint URL is exposed and could be targeted by malicious actors. At this time, Google does not provide a means for web apps to whitelist or examine the IP address of incoming requests, in order to protect against use by unauthorized clients.

Feasibility Determination

Adoption of the new form solution is not feasible, because the web app URL is exposed, and currently Google does not provide a means to whitelist specific IP addresses.

@github-actions github-actions bot added the To Update ! No update has been provided label May 19, 2023
@hackforla hackforla deleted a comment from github-actions bot May 19, 2023
@roslynwythe
Copy link
Member Author

roslynwythe commented May 19, 2023
edited
Loading

Update:

@roslynwythe roslynwythe removed the To Update ! No update has been provided label May 19, 2023
@github-actions github-actions bot added the To Update ! No update has been provided label Jun 2, 2023
@github-actions

This comment was marked as outdated.

Sign in to view
This was referenced Jun 2, 2023
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@roslynwythe roslynwythe

Labels
Complexity: Medium P-Feature: Wins Page https://www.hackforla.org/wins/ role: back end/devOps Tasks for back-end developers size: 1pt Can be done in 4-6 hours To Update ! No update has been provided
Projects
P: HfLA Website: Project Board
Archived in project
Milestone
02. Security
Development

No branches or pull requests
3 participants
@roslynwythe @JessicaLucindaCheng @ExperimentsInHonesty