Skip to content

Latest commit

 

History

History
82 lines (60 loc) · 6.02 KB

threat-modeling.md

File metadata and controls

82 lines (60 loc) · 6.02 KB

Threat Model Analysis for airbnb/lottie-web

Threat: Denial of Service (DoS) via Resource Exhaustion

  • Threat: Denial of Service (DoS) via Resource Exhaustion

    • Description: An attacker crafts a Lottie JSON file with extreme complexity (e.g., thousands of layers, very high frame rate, excessively long duration, or complex shapes and masks). The attacker delivers this file, and when the application attempts to render the animation using lottie-web, it consumes excessive CPU, memory, or GPU resources, leading to a denial of service.

    • Impact:

      • Application crashes or freezes.
      • Browser becomes unresponsive.
      • Device instability (especially on mobile or low-powered devices).
      • Potential for complete system unresponsiveness in extreme cases.

    • Affected Lottie-Web Component:

      • AnimationItem (the main object representing a loaded animation).
      • Rendering engine (Canvas, SVG, or HTML renderer).
      • Various internal parsing and processing functions within lottie-web.

    • Risk Severity: High

    • Mitigation Strategies:

      • Complexity Limits (Server-Side & Client-Side):
        • Enforce maximum layer count.
        • Enforce maximum frame rate.
        • Enforce maximum animation duration.
        • Enforce maximum file size.
        • Whitelist/blacklist specific Lottie features (e.g., computationally expensive effects).
      • Resource Monitoring: Monitor CPU and memory usage during rendering. Terminate animation if thresholds are exceeded.
      • Sandboxing (Web Workers): Render animations in a Web Worker to isolate resource consumption.
      • Progressive Loading/Rendering: Load and render animation segments incrementally.
      • Rate Limiting: If user-submitted animations are allowed, implement rate limiting.

Threat: Cross-Site Scripting (XSS) via Malicious Expressions

  • Threat: Cross-Site Scripting (XSS) via Malicious Expressions

    • Description: An attacker creates a Lottie JSON file containing malicious JavaScript code within animation expressions. These expressions are evaluated by lottie-web to dynamically control animation properties. When the animation is rendered, the injected JavaScript code executes in the context of the victim's browser, allowing the attacker to perform actions such as stealing cookies, redirecting the user, or defacing the website. This is a direct exploitation of lottie-web's expression handling.

    • Impact:

      • Theft of user credentials (cookies, session tokens).
      • Redirection to malicious websites.
      • Website defacement.
      • Execution of arbitrary code in the user's browser.
      • Session hijacking.
      • Data exfiltration.

    • Affected Lottie-Web Component:

      • Expression evaluation engine (specifically, the code within lottie-web that parses and executes JavaScript expressions).
      • AnimationItem.play(), AnimationItem.goToAndPlay(), and other methods that trigger animation playback (and thus expression evaluation).

    • Risk Severity: Critical

    • Mitigation Strategies:

      • Disable Expressions (Primary Mitigation): If expressions are not required, disable them completely using lottie-web's configuration options (e.g., providing a no-op function for expression evaluation or using a build without expression support). This is the most effective solution.
      • Strict Input Validation and Sanitization (If Expressions are Essential): Implement extremely rigorous validation and sanitization of the JSON data before passing it to lottie-web. This is very difficult to do correctly and should be avoided if possible. Focus on whitelisting allowed expression syntax, not blacklisting.
      • Content Security Policy (CSP): Use a strong CSP, specifically avoiding unsafe-eval and carefully configuring script-src. This provides a defense-in-depth layer.
      • Sandboxing (Web Workers): Render animations in a Web Worker to isolate the execution context of expressions.
      • Context-Aware Escaping: If expressions are used and output is displayed in the DOM, ensure proper context-aware escaping is used.

Threat: Regular Expression Denial of Service (ReDoS) within Expressions

  • Threat: Regular Expression Denial of Service (ReDoS) within Expressions

    • Description: If expressions are enabled, an attacker could craft a Lottie file with a malicious regular expression within an expression. This regular expression is designed to cause catastrophic backtracking in the regular expression engine used by lottie-web, leading to excessive CPU consumption and a denial-of-service condition.

    • Impact:

      • Application freezes or crashes.
      • Browser becomes unresponsive.
      • Server-side performance degradation (if expressions are evaluated server-side).

    • Affected Lottie-Web Component:

      • Expression evaluation engine (specifically, the part that handles regular expressions within lottie-web).

    • Risk Severity: High

    • Mitigation Strategies:

      • Disable Expressions (Preferred): If expressions are not needed, disable them.
      • Regular Expression Sanitization/Validation (If Expressions are Essential): If expressions must be used, carefully validate and sanitize any regular expressions within them. Use a safe regular expression library or engine, and avoid complex or nested quantifiers. Test regular expressions against known ReDoS patterns.
      • Resource Limits: Set limits on the execution time or resources allowed for expression evaluation within lottie-web.
      • Web Workers: Evaluate expressions in a Web Worker to isolate the impact.