devshop talk 7/25/13

1. Meteor meets
Mallory*
Emily Stark, Meteor core developer
emily@meteor.com
* Mallory is usually the name of the bad guy in crypto/security stuff

2. Meteor security
model and best
practices

3. Outline
1. Meteor security principles
2. Cross-site scripting
3. Mongo injections

4. Meteor security
principles

5. Secure design principles
○ Data and code are separate
○ Easy to reason about client/server boundary
○ Stateful connections that must be
deliberately authenticated

6. Securely structuring your app
○ Server code is trusted, client code is not
○ server/ or Meteor.settings for secrets
○ Meteor.isServer doesn't make code private
○ Use publications and allow/deny to lock
down database API
○ Allow/deny rules not applied to server code

7. Cross-site scripting

8. Cross-site scripting (XSS)

9. Cross-site scripting (XSS)

10. Meteor foils some attacks
< > ' " ` &
&lt; &gt; &#x27; &quot; &#x60; &amp;
when inside {{ }}
(packages/handlebars/evaluate-handlebars.js)

11. But not all
<a href="{{ userWebsite }}">
{{ username }}'s website
</a>

12. URL sanitization
<a href="javascript:alert(localStorage)">
{{ username }}'s website
</a>

13. URL sanitization
<a href="javascript:alert(localStorage)">
{{ username }}'s website
</a>
Can you execute any damaging Javascript
when quotes are escaped?

14. URL sanitization
<a href="javascript:
eval(String.fromCharCode(77, 101, ...))">
{{ username }}'s website
</a>

15. CSS sanitization
<div style="background-color:
{{ usersFavoriteColor }}">
</div>

16. CSS sanitization
<div style="background-color:
expression(alert(localStorage))">
</div>

17. Sanitize untrusted URLs and CSS
○ Don't try to filter out "javascript:",
"expression", etc.
○ Do strict checking: urls start with http, css
values come from a list of safe values
○ Use Content Security Policy
Ex: Content-Security-Policy: default-src
'self'

18. Mongo injections

19. Mongo injections
Meteor.methods({
getUser: function(user, pwd) {
return Users.findOne({
username: user,
password: pwd
});
}
});
user: "Alice"
pwd: {$ne: "foo"}

20. Using check
Meteor.methods({
getUser: function (user, pwd) {
check(user, String);
check(pwd, String);
return Users.findOne({
user: user,
password: pwd
});
}
});

21. check is versatile
check(usernames, [String])
check(profile, {
admin: Boolean,
location: Match.Optional(String)
});
check(age, Match.OneOf(String,
Number))

22. Using audit-argument-checks
Meteor.methods({
insertName: function (name) {
MyCollection.insert({
name: name
});
console.log("Inserted",
{name: name});
}
});
insertName({
foo: "bar"
})

23. Using audit-argument-checks
Inserted {"name": {"foo":
"bar"}}
insertName({
foo: "bar"
})

24. Using audit-argument-checks
meteor add audit-argument-
checks
insertName({
foo: "bar"
})

25. Using audit-argument-checks
Inserted {"name": {"foo":
"bar"}}
Exception while invoking method
'insertName'
Error: Did not check() all
arguments during call to
'insertName'
insertName({
foo: "bar"
})

26. What was that Meteor 0.6.4.1 release
all about?
Meteor.methods({
saveUser: function(profile) {
delete profile.admin;
Users.insert(profile);
}
});
<malicious input>
{"admin": "true!", "x01...": null,
...}

27. Conclusion
○ Meteor security design principles
○ Securing boundary between client and server
○ Data/code separation
○ Some attacks to watch out for
○ Always validate untrusted user input
○ security-resources.meteor.com

28. Questions?