[Cubicweb] Security on CubicWeb

Adrien Di Mascio adrien.dimascio at logilab.fr
Wed Jan 2 15:00:38 CET 2013

Hi Celso,

Le 29/12/2012 20:42, Nicolas Chauvat a écrit :
> On Mon, Dec 24, 2012 at 12:39:28PM +0100, Celso FLORES wrote:
> Work was done on this topic more than a year ago before data.bnf.fr
> was put into production. I think it was Arthur who did that work. Just
> wait for Adrien to come back from vacation and he should be able to
> help you out.

We (mostly Arthur) indeed ran a few security test suites with tools such 
as :

- wapiti : http://wapiti.sourceforge.net/
- nikto : http://cirt.net/nikto2
- w3af : http://w3af.sourceforge.net/
- xsser : http://xsser.sourceforge.net/
- spikeproxy : http://www.immunitysec.com/resources-freesoftware.shtml

and found nothing alarming. Arthur will maybe have more specific 
insights to share on this.

There should be no SQL injection problems ... since we don't use SQL to 
communicate with "cubicweb-server". You might be able to forge HTML 
forms to execute a DELETE/SET/INSERT query or even abuse a clumsy URL 
rewrite rule (either defined by your CW app itself or by your HTTP 
front-end configuration) to do so. But even then, as Aurélien said, 
provided that you stick to the standard CW API to communicate with your 
database, you won't be able to execute something your schema will forbid.

If you want to have more control on your urls and on your request 
parameters, you can deactivate standard url processors and publishers in 
CW or add some custom ones that remove unwanted parameters.

IMO, your main concerns should therefore be:

- write security tests,
- define the appropriate permissions in your data model to make those
   tests pass,
- use security tools to make sure you're not subject to standard XSS /
   CSRF attacks (CW is probably improvable on this point),
- DOS: CW doesn't provide any builtin tool to protect you.

Of course, you also need to consider security issues on your full 
application stack: which user will run your processes, what and where is 
he able to read or write on the filesystem, who has access to your 
database, HTTPS vs. HTTP, etc.

Adrien Di Mascio - LOGILAB, Paris (France).
Formations - http://www.logilab.fr/formations
Développements - http://www.logilab.fr/services
Gestion de connaissances - http://www.cubicweb.org/

More information about the Cubicweb mailing list