[Cubicweb] Security on CubicWeb
Adrien Di Mascio
adrien.dimascio at logilab.fr
Wed Jan 2 15:00:38 CET 2013
Le 29/12/2012 20:42, Nicolas Chauvat a écrit :
> On Mon, Dec 24, 2012 at 12:39:28PM +0100, Celso FLORES wrote:
> Work was done on this topic more than a year ago before data.bnf.fr
> was put into production. I think it was Arthur who did that work. Just
> wait for Adrien to come back from vacation and he should be able to
> help you out.
We (mostly Arthur) indeed ran a few security test suites with tools such
- wapiti : http://wapiti.sourceforge.net/
- nikto : http://cirt.net/nikto2
- w3af : http://w3af.sourceforge.net/
- xsser : http://xsser.sourceforge.net/
- spikeproxy : http://www.immunitysec.com/resources-freesoftware.shtml
and found nothing alarming. Arthur will maybe have more specific
insights to share on this.
There should be no SQL injection problems ... since we don't use SQL to
communicate with "cubicweb-server". You might be able to forge HTML
forms to execute a DELETE/SET/INSERT query or even abuse a clumsy URL
rewrite rule (either defined by your CW app itself or by your HTTP
front-end configuration) to do so. But even then, as Aurélien said,
provided that you stick to the standard CW API to communicate with your
database, you won't be able to execute something your schema will forbid.
If you want to have more control on your urls and on your request
parameters, you can deactivate standard url processors and publishers in
CW or add some custom ones that remove unwanted parameters.
IMO, your main concerns should therefore be:
- write security tests,
- define the appropriate permissions in your data model to make those
- use security tools to make sure you're not subject to standard XSS /
CSRF attacks (CW is probably improvable on this point),
- DOS: CW doesn't provide any builtin tool to protect you.
Of course, you also need to consider security issues on your full
application stack: which user will run your processes, what and where is
he able to read or write on the filesystem, who has access to your
database, HTTPS vs. HTTP, etc.
Adrien Di Mascio - LOGILAB, Paris (France).
Formations - http://www.logilab.fr/formations
Développements - http://www.logilab.fr/services
Gestion de connaissances - http://www.cubicweb.org/
More information about the Cubicweb