Skip to content

Latest commit

 

History

History
122 lines (98 loc) · 7.29 KB

mitigations.md

File metadata and controls

122 lines (98 loc) · 7.29 KB

Mitigation Strategies Analysis for dominictarr/rc

Mitigation Strategy: Strict Schema Validation (with rc Integration)

  • Description:

    1. Define a JSON Schema: (Same as before - create a comprehensive JSON schema file).
    2. Choose a Validation Library: (Same as before - select and install a validator like ajv or joi).
    3. Integrate Validation with rc: This is where the direct rc interaction comes in. Instead of loading the configuration and then validating, you can integrate the validation within the rc call, or immediately after. The most robust approach is to load before passing to rc: 
      const rc = require('rc');
const Ajv = require('ajv');
const fs = require('fs');

const schema = JSON.parse(fs.readFileSync('config-schema.json', 'utf8'));
const ajv = new Ajv({ allErrors: true }); // allErrors is important for comprehensive reporting
const validate = ajv.compile(schema);

// Load configuration using rc, with defaults
const config = rc('myapp', defaults);

// Validate the configuration
const isValid = validate(config);

if (!isValid) {
  console.error("Invalid configuration:", validate.errors);
  process.exit(1); // Exit on invalid configuration
}

// Now it's safe to use the 'config' object
    4. Test Validation: (Same as before - create unit tests).

  • List of Threats Mitigated: (Same as before - ACE/RCE, Information Disclosure, DoS, Unexpected Behavior)

  • Impact: (Same as before - significant risk reduction across all listed threats)

  • Currently Implemented:

    • Validation logic integrated directly within the rc loading process in src/config/index.js, as shown in the example above.
    • Unit tests in test/config.test.js.

  • Missing Implementation:

    • Schema needs updating for the featureFlags option (as before).
    • No integration tests.

Mitigation Strategy: Configuration File Location Control (using configs option)

  • Description:

    1. Determine Trusted Location: Decide on a single, secure, and absolute path for your application's primary configuration file (e.g., /opt/myapp/config.json).
    2. Use configs Option: When calling rc, use the configs option to explicitly specify this path. This overrides rc's default search paths, preventing it from loading configuration files from potentially untrusted locations. 
      const config = rc('myapp', defaults, { configs: ['/opt/myapp/config.json'] });
    3. Avoid Relative Paths: Never use relative paths with the configs option. Always use absolute paths.
    4. Single File (Recommended): Ideally, use a single configuration file specified with configs. Avoid relying on rc's multi-file loading behavior, as it increases the attack surface.

  • List of Threats Mitigated:

    • Unexpected Application Behavior: (Severity: Medium) - Prevents attackers from placing malicious configuration files in unexpected locations that rc might load.
    • Information Disclosure: (Severity: Medium) - Reduces the risk of loading a configuration file containing sensitive data from an untrusted location.
    • Privilege Escalation: (Severity: Medium) - If combined with least privilege, reduces the impact of an attacker modifying a configuration file.

  • Impact:

    • Unexpected Application Behavior: Risk reduced from Medium to Low.
    • Information Disclosure: Risk reduced from Medium to Low.
    • Privilege Escalation: Risk reduced (in conjunction with other mitigations).

  • Currently Implemented:

    • rc is called with the configs option set to /etc/myapp/config.json in src/config/index.js.

  • Missing Implementation:

    • No check to ensure that the file specified by configs actually exists and is readable before calling rc. This could lead to the application using default values unexpectedly. A check should be added: 
      const configFile = '/opt/myapp/config.json';
try {
  fs.accessSync(configFile, fs.constants.R_OK); // Check for read access
} catch (err) {
  console.error(`Configuration file not found or not readable: ${configFile}`);
  process.exit(1);
}
const config = rc('myapp', defaults, { configs: [configFile] });

Mitigation Strategy: Environment Variable Prefixing and Parsing (using parse option)

  • Description:

    1. Choose a Prefix: Select a unique prefix for your application's environment variables (e.g., MYAPP_).
    2. Use parse Option: When calling rc, use the parse option to define how environment variables should be parsed and incorporated into the configuration. This allows you to:
      • Specify the prefix.
      • Control how environment variables are converted to configuration keys (e.g., converting uppercase to lowercase, replacing underscores with dots).
      • Filter which environment variables are considered.
    3. Example: 
      const config = rc('myapp', defaults, {
  parse: (content) => {
    const parsedConfig = {};
    for (const key in content) {
      if (key.startsWith('MYAPP_')) {
        const newKey = key.substring(6).toLowerCase().replace(/_/g, '.'); // Remove prefix, lowercase, replace _ with .
        parsedConfig[newKey] = content[key];
      }
    }
    return parsedConfig;
  }
});
      This example would process an environment variable like MYAPP_DATABASE_HOST and create a configuration key database.host.
    4. Minimize Environment Variable Use: As emphasized before, minimize the use of environment variables for sensitive data. This strategy primarily helps manage non-sensitive configuration options that might be set via environment variables.

  • List of Threats Mitigated:

    • Unexpected Application Behavior: (Severity: Low) - Prevents conflicts with environment variables from other applications.
    • Information Disclosure: (Severity: Low) - Reduces the risk (though minimally) of accidentally exposing sensitive data if environment variables are misconfigured.

  • Impact:

    • Unexpected Application Behavior: Risk reduced from Low to Negligible.
    • Information Disclosure: Minimal impact (primarily addressed by not using environment variables for secrets).

  • Currently Implemented:

    • A basic parse function is used to convert environment variable keys to lowercase.

  • Missing Implementation:

    • The parse function doesn't explicitly check for the MYAPP_ prefix. It should be updated to only process environment variables with the correct prefix, as shown in the example above.
    • No documentation clearly explains which environment variables are supported and how they are mapped to configuration options.