Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security, Pen Testing & Scaling #10

Open
kmturley opened this issue Sep 7, 2017 · 4 comments
Open

Security, Pen Testing & Scaling #10

kmturley opened this issue Sep 7, 2017 · 4 comments

Comments

@kmturley
Copy link

kmturley commented Sep 7, 2017

Need to check:

  • Inputs are sanitized/escaped (no xss)
  • File uploads are restricted to safe formats
  • CSP whitelist (only allow specific domains)
  • User/admin permissions are correct, no holes
  • Firebase read/write rules are correct, no holes
  • Firebase data schema is scalable (don't load whole lists at once, structure into separate lists)
  • Application can scale on firebase hosting, email sending, uploads
  • Estimate costs at scale, compared to static hosting, and Python hosting
@ankemp
Copy link
Contributor

ankemp commented Sep 8, 2017

Some things to consider:
angular/angular-cli#3430
&&
angular/angular-cli#6872

@alexabbott
Copy link
Owner

@kmturley

  • Inputs are sanitized/escaped (no xss)
    DONE

  • File uploads are restricted to safe formats
    DONE - restricted on FE and in Storage Rules

  • CSP whitelist (only allow specific domains)
    DONE - had to add 'unsafe-inline' for CSS + 'unsafe-eval' for JS based on the articles @ankemp commented, then 'unsafe-inline' for JS because of CKeditor (WYSIWYG)

  • User/admin permissions are correct, no holes
    DONE

  • Firebase read/write rules are correct, no holes
    DONE

  • Firebase data schema is scalable (don't load whole lists at once, structure into separate lists)
    DONE

  • Application can scale on firebase hosting, email sending, uploads
    DONE -- email sending is via gmail, so it is limited. Scaling email sending would require use of third-party email service like Mailgun

  • Estimate costs at scale, compared to static hosting, and Python hosting
    TODO

@kmturley
Copy link
Author

Getting some permissions errors now when I view the admin area:

  • /admins/-473942351
  • /approvals
  • /approvals/products
  • /users
  • /orders
  • etc

Am I an admin?

@alexabbott
Copy link
Owner

alexabbott commented Sep 13, 2017
edited

@kmturley yes, you are a super-admin, but it says your account has not logged in yet? I've updated some of the admin functionality recently so you may have to re-login via /login

The paths you've listed should have /admin in front of them and a couple of them are invalid:

  • /admins/-473942351- INVALID - should be /admin/admins/edit-admin/ADMINKEY
  • /approvals - should be /admin/approvals
  • /approvals/products - INVALID - there is no separate view for product approvals, all approvals live at /admins/approvals
  • /users - INVALID - should be /admin/customers
  • /orders - should be /admin/orders

@omer88 omer88 mentioned this issue Mar 11, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kmturley @ankemp @alexabbott