Meteor meets
Mallory*
Emily Stark, Meteor core developer
emily@meteor.com
* Mallory is usually the name of the bad guy in ...
Meteor security
model and best
practices
Outline
1. Meteor security principles
2. Cross-site scripting
3. Mongo injections
Meteor security
principles
Secure design principles
○ Data and code are separate
○ Easy to reason about client/server boundary
○ Stateful connections...
Securely structuring your app
○ Server code is trusted, client code is not
○ server/ or Meteor.settings for secrets
○ Mete...
Cross-site scripting
Cross-site scripting (XSS)
Cross-site scripting (XSS)
Meteor foils some attacks
< > ' " ` &
&lt; &gt; ' &quot; ` &amp;
when inside {{ }}
(packages/handlebars/evaluate-handlebar...
But not all
<a href="{{ userWebsite }}">
{{ username }}'s website
</a>
URL sanitization
<a href="javascript:alert(localStorage)">
{{ username }}'s website
</a>
URL sanitization
<a href="javascript:alert(localStorage)">
{{ username }}'s website
</a>
Can you execute any damaging Java...
URL sanitization
<a href="javascript:
eval(String.fromCharCode(77, 101, ...))">
{{ username }}'s website
</a>
CSS sanitization
<div style="background-color:
{{ usersFavoriteColor }}">
</div>
CSS sanitization
<div style="background-color:
expression(alert(localStorage))">
</div>
Sanitize untrusted URLs and CSS
○ Don't try to filter out "javascript:",
"expression", etc.
○ Do strict checking: urls sta...
Mongo injections
Mongo injections
Meteor.methods({
getUser: function(user, pwd) {
return Users.findOne({
username: user,
password: pwd
});
...
Using check
Meteor.methods({
getUser: function (user, pwd) {
check(user, String);
check(pwd, String);
return Users.findOne...
check is versatile
check(usernames, [String])
check(profile, {
admin: Boolean,
location: Match.Optional(String)
});
check(...
Using audit-argument-checks
Meteor.methods({
insertName: function (name) {
MyCollection.insert({
name: name
});
console.lo...
Using audit-argument-checks
Inserted {"name": {"foo":
"bar"}}
insertName({
foo: "bar"
})
Using audit-argument-checks
meteor add audit-argument-
checks
insertName({
foo: "bar"
})
Using audit-argument-checks
Inserted {"name": {"foo":
"bar"}}
Exception while invoking method
'insertName'
Error: Did not ...
What was that Meteor 0.6.4.1 release
all about?
Meteor.methods({
saveUser: function(profile) {
delete profile.admin;
Users...
Conclusion
○ Meteor security design principles
○ Securing boundary between client and server
○ Data/code separation
○ Some...
Questions?
Upcoming SlideShare
Loading in …5
×

Meteor Meets Mallory

4,701 views

Published on

devshop talk 7/25/13

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,701
On SlideShare
0
From Embeds
0
Number of Embeds
61
Actions
Shares
0
Downloads
22
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Meteor Meets Mallory

  1. 1. Meteor meets Mallory* Emily Stark, Meteor core developer emily@meteor.com * Mallory is usually the name of the bad guy in crypto/security stuff
  2. 2. Meteor security model and best practices
  3. 3. Outline 1. Meteor security principles 2. Cross-site scripting 3. Mongo injections
  4. 4. Meteor security principles
  5. 5. Secure design principles ○ Data and code are separate ○ Easy to reason about client/server boundary ○ Stateful connections that must be deliberately authenticated
  6. 6. Securely structuring your app ○ Server code is trusted, client code is not ○ server/ or Meteor.settings for secrets ○ Meteor.isServer doesn't make code private ○ Use publications and allow/deny to lock down database API ○ Allow/deny rules not applied to server code
  7. 7. Cross-site scripting
  8. 8. Cross-site scripting (XSS)
  9. 9. Cross-site scripting (XSS)
  10. 10. Meteor foils some attacks < > ' " ` & &lt; &gt; ' &quot; ` &amp; when inside {{ }} (packages/handlebars/evaluate-handlebars.js)
  11. 11. But not all <a href="{{ userWebsite }}"> {{ username }}'s website </a>
  12. 12. URL sanitization <a href="javascript:alert(localStorage)"> {{ username }}'s website </a>
  13. 13. URL sanitization <a href="javascript:alert(localStorage)"> {{ username }}'s website </a> Can you execute any damaging Javascript when quotes are escaped?
  14. 14. URL sanitization <a href="javascript: eval(String.fromCharCode(77, 101, ...))"> {{ username }}'s website </a>
  15. 15. CSS sanitization <div style="background-color: {{ usersFavoriteColor }}"> </div>
  16. 16. CSS sanitization <div style="background-color: expression(alert(localStorage))"> </div>
  17. 17. Sanitize untrusted URLs and CSS ○ Don't try to filter out "javascript:", "expression", etc. ○ Do strict checking: urls start with http, css values come from a list of safe values ○ Use Content Security Policy Ex: Content-Security-Policy: default-src 'self'
  18. 18. Mongo injections
  19. 19. Mongo injections Meteor.methods({ getUser: function(user, pwd) { return Users.findOne({ username: user, password: pwd }); } }); user: "Alice" pwd: {$ne: "foo"}
  20. 20. Using check Meteor.methods({ getUser: function (user, pwd) { check(user, String); check(pwd, String); return Users.findOne({ user: user, password: pwd }); } });
  21. 21. check is versatile check(usernames, [String]) check(profile, { admin: Boolean, location: Match.Optional(String) }); check(age, Match.OneOf(String, Number))
  22. 22. Using audit-argument-checks Meteor.methods({ insertName: function (name) { MyCollection.insert({ name: name }); console.log("Inserted", {name: name}); } }); insertName({ foo: "bar" })
  23. 23. Using audit-argument-checks Inserted {"name": {"foo": "bar"}} insertName({ foo: "bar" })
  24. 24. Using audit-argument-checks meteor add audit-argument- checks insertName({ foo: "bar" })
  25. 25. Using audit-argument-checks Inserted {"name": {"foo": "bar"}} Exception while invoking method 'insertName' Error: Did not check() all arguments during call to 'insertName' insertName({ foo: "bar" })
  26. 26. What was that Meteor 0.6.4.1 release all about? Meteor.methods({ saveUser: function(profile) { delete profile.admin; Users.insert(profile); } }); <malicious input> {"admin": "true!", "x01...": null, ...}
  27. 27. Conclusion ○ Meteor security design principles ○ Securing boundary between client and server ○ Data/code separation ○ Some attacks to watch out for ○ Always validate untrusted user input ○ security-resources.meteor.com
  28. 28. Questions?

×