Skip to content

Latest commit

 

History

History
98 lines (87 loc) · 11.4 KB

mitigations.md

File metadata and controls

98 lines (87 loc) · 11.4 KB

Mitigation Strategies Analysis for coil-kt/coil

Mitigation Strategy: Whitelist Allowed Domains

  • Mitigation Strategy: Whitelist Allowed Domains (Coil-Specific)
  • Description:
    1. Identify Trusted Domains: Determine all legitimate and trusted domains from which your application should load images via Coil.
    2. Create a Whitelist: Create a list of these trusted domains (e.g., an array, set, or configuration file accessible in your Coil setup).
    3. Implement Coil Interceptor: Create a custom Interceptor for Coil's ImageLoader.
    4. URL Validation in Interceptor: Within the interceptor, before proceeding with the network request, extract the domain from the image URL.
    5. Check Against Whitelist in Interceptor: Compare the extracted domain against the whitelist.
    6. Abort Request if Not Whitelisted: If the domain is not in the whitelist, abort the image loading request within the interceptor. You can throw an IOException or return a cached error response to prevent Coil from proceeding.
    7. Configure Coil with Interceptor: Register this custom interceptor with your ImageLoader instance when building it.
  • Threats Mitigated:
    • Loading Malicious Images from Untrusted Sources (High Severity): Prevents Coil from loading images from attacker-controlled servers, mitigating malware, exploit, or inappropriate content risks.
    • Phishing Attacks via Image URLs (Medium Severity): Reduces the risk of users being tricked by images from phishing domains loaded by Coil.
  • Impact:
    • Loading Malicious Images from Untrusted Sources (High Impact): Significantly reduces risk by directly preventing Coil from fetching images from unauthorized sources.
    • Phishing Attacks via Image URLs (Medium Impact): Reduces risk by limiting Coil's image sources to trusted domains, making phishing via image URLs less effective.
  • Currently Implemented: No - Domain whitelisting is not currently implemented specifically within Coil's image loading process.
  • Missing Implementation: A custom Interceptor needs to be created and registered with Coil's ImageLoader to perform domain whitelisting checks before network requests are made.

Mitigation Strategy: Implement URL Pattern Matching

  • Mitigation Strategy: URL Pattern Matching (Coil-Specific)
  • Description:
    1. Define URL Patterns: Define regular expressions or similar patterns that describe the valid structure of image URLs Coil should load. These patterns should include allowed domains, paths, and file extensions.
    2. Implement Coil Interceptor: Create a custom Interceptor for Coil's ImageLoader.
    3. URL Validation in Interceptor: Within the interceptor, before proceeding with the network request, apply the defined URL patterns to the image URL.
    4. Validate URL against Patterns in Interceptor: Check if the URL matches any of the defined valid patterns.
    5. Abort Request if Pattern Mismatch: If the URL does not match any valid pattern, abort the image loading request within the interceptor (e.g., throw IOException or return cached error).
    6. Configure Coil with Interceptor: Register this custom interceptor with your ImageLoader instance.
  • Threats Mitigated:
    • Loading Malicious Images from Untrusted Sources (High Severity): Similar to whitelisting, but provides more flexible control over allowed image URL structures for Coil.
    • URL Injection Attacks (Medium Severity): Helps prevent URL injection attacks by ensuring Coil only processes URLs conforming to expected formats, blocking potentially malicious URLs.
  • Impact:
    • Loading Malicious Images from Untrusted Sources (High Impact): Effectively reduces risk by limiting Coil's image sources to those matching defined URL patterns.
    • URL Injection Attacks (Medium Impact): Reduces risk by validating URL structure processed by Coil, preventing unexpected or malicious components in the URL from being used by Coil.
  • Currently Implemented: No - URL pattern matching is not currently implemented within Coil's image loading process.
  • Missing Implementation: A custom Interceptor needs to be created and registered with Coil's ImageLoader to perform URL pattern validation before network requests are made by Coil.

Mitigation Strategy: Enforce HTTPS for Image URLs

  • Mitigation Strategy: Enforce HTTPS (Coil-Specific)
  • Description:
    1. Application Policy for Coil: Establish a policy that Coil should only load images via HTTPS.
    2. URL Modification (If Necessary): If your application receives image URLs that might be HTTP, implement logic before passing them to Coil to automatically rewrite them to HTTPS if the domain supports it.
    3. Validation and Rejection for Coil: Before loading an image with Coil, check if the URL scheme is HTTPS. If it's HTTP and cannot be upgraded, reject the URL and do not pass it to Coil for loading. You can handle this validation in your code before calling Coil's load function or within a Coil Interceptor.
    4. Coil Configuration (If Applicable): While Coil doesn't directly enforce HTTPS, ensure your underlying network client (OkHttp) is configured to prioritize HTTPS and handle redirects appropriately.
  • Threats Mitigated:
    • Man-in-the-Middle (MITM) Attacks (High Severity): Prevents MITM attacks on image requests made by Coil, protecting against malicious content injection, image modification, and user tracking.
    • Data Integrity Issues (Medium Severity): Ensures the integrity of images downloaded by Coil by preventing tampering during transit.
    • Information Disclosure (Low Severity): Protects against potential information disclosure if image URLs passed to Coil contain sensitive parameters that could be intercepted over HTTP.
  • Impact:
    • Man-in-the-Middle (MITM) Attacks (High Impact): Significantly reduces risk for Coil image loading by encrypting traffic and preventing interception.
    • Data Integrity Issues (Medium Impact): Improves data integrity for images loaded by Coil.
    • Information Disclosure (Low Impact): Minimally reduces information disclosure risk related to image URLs used by Coil.
  • Currently Implemented: Partial - HTTPS is generally preferred, but explicit enforcement and validation specifically for Coil image URLs might be missing.
  • Missing Implementation: Explicitly validate and enforce HTTPS for all image URLs before they are passed to Coil for loading. This can be done through pre-processing URLs or within a Coil Interceptor.

Mitigation Strategy: Limit Image Size

  • Mitigation Strategy: Limit Image Size (Coil-Specific)
  • Description:
    1. Define Maximum Size for Coil: Determine a maximum acceptable file size for images loaded by Coil, based on application resource limits and user experience considerations.
    2. Implement Coil Interceptor: Create a custom Interceptor for Coil's ImageLoader.
    3. Check Content-Length in Interceptor: Within the interceptor's intercept function, after receiving the Response from the server but before proceeding with image decoding, check the Content-Length header of the response.
    4. Abort Request if Too Large: If Content-Length exceeds the defined maximum size, abort the request within the interceptor. You can throw an IOException to prevent Coil from downloading the full image.
    5. Handle Missing Content-Length: If Content-Length is not present, you might choose to either:
      • Allow (Riskier): Proceed with the download without size checking (if you trust the source).
      • Reject (More Secure): Abort the request as you cannot determine the size beforehand.
    6. Configure Coil with Interceptor: Register this custom interceptor with your ImageLoader instance.
  • Threats Mitigated:
    • Denial of Service (DoS) Attacks via Large Images (Medium Severity): Prevents attackers from causing resource exhaustion (memory, bandwidth, processing) by forcing Coil to download and process excessively large images.
  • Impact:
    • Denial of Service (DoS) Attacks via Large Images (Medium Impact): Reduces the risk of DoS attacks targeting Coil by preventing the application from being overwhelmed by large image downloads.
  • Currently Implemented: No - Image size limits are not currently enforced within Coil's image loading process.
  • Missing Implementation: A custom Interceptor needs to be created and registered with Coil's ImageLoader to check the Content-Length header and abort requests for images exceeding the defined size limit.

Mitigation Strategy: Timeout Mechanisms

  • Mitigation Strategy: Timeout Mechanisms (Coil/OkHttp Configuration)
  • Description:
    1. Configure OkHttp Client for Coil: Coil uses OkHttp as its network client. Access the OkHttp OkHttpClient.Builder used by Coil's ImageLoader (often during ImageLoader initialization).
    2. Set Connection Timeout: Configure the connectTimeout on the OkHttpClient.Builder. This sets the maximum time to establish a connection with the image server.
    3. Set Read Timeout: Configure the readTimeout on the OkHttpClient.Builder. This sets the maximum time to wait for data to be received after a connection has been established.
    4. Set Write Timeout (Less Critical for Image Loading): Optionally, configure writeTimeout if you anticipate scenarios where Coil might be sending data (though less common in typical image loading).
    5. Choose Reasonable Timeouts: Select timeout values that are appropriate for typical network conditions and image sizes in your application. Too short timeouts might cause legitimate requests to fail, while too long timeouts might leave the application vulnerable to slow DoS attacks.
    6. Build and Use Configured ImageLoader: Build your ImageLoader instance using the configured OkHttpClient.Builder.
  • Threats Mitigated:
    • Denial of Service (DoS) Attacks (Low to Medium Severity): Prevents Coil from hanging indefinitely if an image server is unresponsive or intentionally slow, mitigating some DoS scenarios.
    • Resource Exhaustion (Low Severity): Reduces the risk of resource exhaustion due to long-running, stalled image loading requests initiated by Coil.
  • Impact:
    • Denial of Service (DoS) Attacks (Low to Medium Impact): Minimally to moderately reduces DoS risk for Coil by preventing indefinite waiting for slow servers.
    • Resource Exhaustion (Low Impact): Minimally reduces resource exhaustion related to stalled Coil requests.
  • Currently Implemented: Yes - Network timeouts are likely configured at a general application level for OkHttp, which Coil utilizes.
  • Missing Implementation: Review and specifically verify that connection and read timeouts are appropriately configured for the OkHttpClient instance used by Coil's ImageLoader. Fine-tune timeout values if necessary to optimize for security and user experience in the context of image loading.