yoinkkk/ExcaliDash
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
b47ab7678500d92faeee1e5e7ea5be19cec761e0
ExcaliDash/SECURITY_FIXES_SUMMARY.md
T
Zimeng Xiong 06f13d1404 fix XSS and Root execution of NPM in docker
2025-11-22 20:38:40 -08:00

7.0 KiB
Raw Blame History

Security Fixes Implementation Summary

Overview

This document summarizes the comprehensive security fixes implemented to address two critical security vulnerabilities identified in ExcaliDash:

  1. Stored XSS Vector (High Severity) - Data sanitization negligence
  2. Root Execution Privilege (Critical Severity) - Container escape risk

Security Issues Fixed

Issue 1: Stored XSS Vector (High Severity) FIXED

Problem: Backend used lazy z.object({}).passthrough() validation for elements and appState, allowing arbitrary JSON storage without sanitization.

Attack Vectors:

  • Malicious .excalidraw files containing <script> tags in element properties
  • javascript: URIs in link attributes
  • SVG previews with embedded malicious code
  • Compromised clients sending XSS payloads

Solution Implemented:

  • Strict Zod Schemas: Replaced .passthrough() with detailed validation schemas for elements and appState
  • HTML/JS Sanitization: Implemented comprehensive sanitization layer removing script tags, event handlers, and malicious URLs
  • SVG Sanitization: Special handling for SVG content to prevent script execution
  • URL Validation: Whitelist-only approach for URL schemes (http, https, mailto, relative paths only)
  • Input Sanitization: All string inputs are sanitized before database persistence
  • Import Validation: Additional security checks for imported .excalidraw files with X-Imported-File header

Issue 2: Root Execution Privilege (Critical Severity) FIXED

Problem: Container ran Node.js process as root without USER directive, providing immediate root access in case of RCE.

Attack Vectors:

  • RCE vulnerabilities in better-sqlite3 native bindings
  • File upload processing vulnerabilities
  • Import functionality exploits

Solution Implemented:

  • Non-Root User: Created dedicated nodejs user with UID 1001
  • Permission Management: Proper ownership and permissions for data directories
  • Dockerfile Security: Added USER directive to switch to non-root execution
  • Entry Point Security: Updated docker-entrypoint.sh to handle permissions correctly

Additional Security Hardening IMPLEMENTED

Security Headers:

  • Content Security Policy (CSP) with strict source restrictions
  • X-Frame-Options: DENY (prevents clickjacking)
  • X-Content-Type-Options: nosniff
  • X-XSS-Protection: 1; mode=block
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: geolocation=(), microphone=(), camera=()

Rate Limiting:

  • Implemented basic rate limiting (1000 requests per 15-minute window)
  • Per-IP tracking to prevent DoS attacks

Request Validation:

  • Maintained existing 50MB request size limits
  • Enhanced validation for file imports

Files Modified

Backend Changes

  1. backend/src/security.ts - New security utilities module

    • HTML/JS sanitization functions
    • SVG sanitization functions
    • Strict Zod schemas for elements and appState
    • Drawing data validation and sanitization
    • URL sanitization with whitelist validation

  2. backend/src/index.ts - Updated backend security

    • Replaced lazy .passthrough() schemas with strict validation
    • Added security middleware with headers and rate limiting
    • Enhanced POST /drawings endpoint with import validation
    • Added malicious content detection and rejection

  3. backend/Dockerfile - Container security hardening

    • Created non-root nodejs user (UID 1001)
    • Added USER directive for non-root execution
    • Set proper file ownership and permissions

  4. backend/docker-entrypoint.sh - Permission management

    • Added proper directory permission setup
    • User-aware permission handling
    • Database file permission management

Frontend Changes

  1. frontend/src/utils/importUtils.ts - Import security marking
    • Added X-Imported-File: true header for imported files
    • Enables additional backend validation for imported content

Security Testing

Test Coverage

XSS Prevention Tests (backend/src/securityTest.ts):

  • HTML/JS injection prevention
  • SVG malicious content blocking
  • URL scheme validation (javascript:, data:, vbscript: blocked)
  • Text sanitization with length limits
  • Malicious drawing rejection
  • Legitimate content preservation

Container Security Tests:

  • Docker container runs as uid=1001(nodejs) instead of root
  • Proper file permissions for data directories
  • Non-root user execution verified

Test Results

🧪 Security Test Suite Results:

✅ HTML/JS injection prevention - WORKING
✅ SVG malicious content blocking - WORKING
✅ URL scheme validation - WORKING
✅ Text sanitization with limits - WORKING
✅ Malicious drawing rejection - WORKING
✅ Legitimate content preservation - WORKING
✅ Container runs as non-root (uid=1001) - WORKING

🔒 XSS Prevention: IMPLEMENTED & FUNCTIONAL
🔒 Container Security: IMPLEMENTED & FUNCTIONAL

Security Benefits

Before Fixes

  • Any malicious script in drawing data would be stored and executed
  • Container escape possible with immediate root access
  • No protection against XSS, CSRF, or clickjacking attacks
  • Unrestricted file uploads and imports

After Fixes

  • All drawing data is sanitized before storage
  • Malicious content is detected and rejected
  • Container runs with minimal privileges (UID 1001)
  • Comprehensive security headers protect against common attacks
  • Rate limiting prevents DoS attacks
  • Strict validation for all imported content

Security Impact

Risk Reduction

  • XSS Risk: High → Eliminated
  • Container Escape: Critical → Mitigated
  • RCE Impact: High → Reduced (non-root execution)
  • DoS Risk: Medium → Reduced (rate limiting)

Compliance

  • Implements defense-in-depth security principles
  • Follows secure coding practices
  • Adheres to container security best practices
  • Protects against OWASP Top 10 vulnerabilities

Maintenance Notes

Regular Security Tasks

  1. Security Test Suite: Run npm run security-test to verify XSS prevention
  2. Container Security: Verify non-root execution in production
  3. Dependency Updates: Keep dependencies updated for security patches
  4. Security Audit: Review and update sanitization rules as needed

Monitoring

  • Monitor rate limiting logs for DoS attempts
  • Track validation failures for potential attack patterns
  • Review container logs for permission-related issues

Conclusion

Both critical security issues have been successfully addressed with comprehensive fixes that:

  1. Eliminate XSS vulnerabilities through strict validation and sanitization
  2. Reduce container escape risk through non-root execution
  3. Add defense-in-depth security measures
  4. Maintain full functionality while improving security posture

The implementation includes thorough testing to ensure security measures work correctly while preserving legitimate functionality.

Security Status: RESOLVED

Reference in New Issue View Git Blame Copy Permalink