maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/docs/developer/best-practices/security.asciidoc
Stacey Gammon a20469f038
Clean up the developer guide (#71631) 
* rename float to discrete

* use same section title level on all source files

* Elasticsearch => {es}

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-07-16 10:13:51 -04:00

55 lines
3 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[[security-best-practices]]
== Security best practices
* XSS
** Check for usages of `dangerouslySetInnerHtml`, `Element.innerHTML`,
`Element.outerHTML`
** Ensure all user input is properly escaped.
** Ensure any input in `$.html`, `$.append`, `$.appendTo`,
latexmath:[$.prepend`, `$].prependTo`is escaped. Instead use`$.text`, or
dont use jQuery at all.
* CSRF
** Ensure all APIs are running inside the {kib} HTTP service.
* RCE
** Ensure no usages of `eval`
** Ensure no usages of dynamic requires
** Check for template injection
** Check for usages of templating libraries, including `_.template`, and
ensure that user provided input isnt influencing the template and is
only used as data for rendering the template.
** Check for possible prototype pollution.
* Prototype Pollution
** Check for instances of `anObject[a][b] = c` where a, b, and c are
user defined. This includes code paths where the following logical code
steps could be performed in separate files by completely different
operations, or recursively using dynamic operations.
** Validate any user input, including API
url-parameters/query-parameters/payloads, preferable against a schema
which only allows specific keys/values. At a very minimum, black-list
`__proto__` and `prototype.constructor` for use within keys
** When calling APIs which spawn new processes or potentially perform
code generation from strings, defensively protect against Prototype
Pollution by checking `Object.hasOwnProperty` if the arguments to the
APIs originate from an Object. An example is the Code apps
https://github.com/elastic/kibana/blob/b49192626a8528af5d888545fb14cd1ce66a72e7/x-pack/legacy/plugins/code/server/lsp/workspace_command.ts#L40-L44[spawnProcess].
*** Common Node.js offenders: `child_process.spawn`,
`child_process.exec`, `eval`, `Function('some string')`,
`vm.runIn*Context(x)`
*** Common Client-side offenders: `eval`, `Function('some string')`,
`setTimeout('some string', num)`, `setInterval('some string', num)`
* Check for accidental reveal of sensitive information
** The biggest culprit is errors which contain stack traces or other
sensitive information which end up in the HTTP Response
* Checked for Mishandled API requests
** Ensure no sensitive cookies are forwarded to external resources.
** Ensure that all user controllable variables that are used in
constructing a URL are escaped properly. This is relevant when using
`transport.request` with the {es} client as no automatic
escaping is performed.
* Reverse tabnabbing -
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#tabnabbing
** When there are user controllable links or hard-coded links to
third-party domains that specify target="_blank" or target="_window", the a tag should have the rel="noreferrer noopener" attribute specified.
Allowing users to input markdown is a common culprit, a custom link renderer should be used
* SSRF - https://www.owasp.org/index.php/Server_Side_Request_Forgery
All network requests made from the {kib} server should use an explicit configuration or white-list specified in the kibana.yml
Reference in a new issue View git blame Copy permalink