Skip to content

Latest commit

 

History

History
117 lines (92 loc) · 8.07 KB

mitigations.md

File metadata and controls

117 lines (92 loc) · 8.07 KB

Mitigation Strategies Analysis for kotlin/kotlinx-datetime

Mitigation Strategy: Explicit Time Zone Specification

  1. Identify all kotlinx-datetime object creation: Review the codebase and find every instance where Instant, LocalDateTime, LocalDate, ZonedDateTime, or other kotlinx-datetime objects are created.
  2. Eliminate implicit defaults: Never rely on the system's default time zone. When creating a date/time object, always explicitly provide the intended TimeZone using TimeZone.of("TimeZoneID") or TimeZone.UTC. For example:
    • Incorrect: Clock.System.now()
    • Correct (UTC): Clock.System.now() (if you really intend UTC; otherwise, convert)
    • Correct (Specific Time Zone): Clock.System.now().toLocalDateTime(TimeZone.of("America/Los_Angeles"))
  3. Consistent conversions: When converting between Instant and other types, always specify the TimeZone. For example:
    • instant.toLocalDateTime(timeZone)
    • localDateTime.toInstant(timeZone)
  4. Document usage: Clearly document all instances where time zones are used and the rationale behind the chosen time zone.

  • Threats Mitigated:

    • Incorrect Time Zone Handling / Assumptions (Severity: High): Prevents incorrect calculations, data inconsistencies, and potential security vulnerabilities by ensuring the correct time zone is always used.
    • Bypassing Time-Based Access Controls (Severity: High): Ensures time-based restrictions are enforced correctly by using the appropriate time zone.
    • Data Inconsistency (Severity: Medium): Promotes consistent date/time handling throughout the application.

  • Impact:

    • Incorrect Time Zone Handling / Assumptions: Risk reduced significantly (from High to Low).
    • Bypassing Time-Based Access Controls: Risk reduced significantly (from High to Low).
    • Data Inconsistency: Risk reduced significantly (from Medium to Low).

  • Currently Implemented: Partially. Time zone is explicitly specified in EventService when creating new events (UTC Instant). Conversion to local time zone is done in EventController for display.

  • Missing Implementation: ReportGenerator uses implicit time zone defaults. UserPreferences does not validate user-provided time zones (this is addressed in a separate strategy below, but the usage within kotlinx-datetime is also relevant here).

Mitigation Strategy: Validate User-Provided Time Zones (within kotlinx-datetime usage)

  1. Identify input points: Locate all places where user-provided time zone strings are used with kotlinx-datetime.
  2. Whitelist validation: Before passing any user-provided string to TimeZone.of(), validate it against the list returned by TimeZone.availableZoneIds().
  3. Example: 
    fun setUserTimeZone(userTimeZoneString: String) {
    if (TimeZone.availableZoneIds.contains(userTimeZoneString)) {
        val timeZone = TimeZone.of(userTimeZoneString)
        // ... use the timeZone object ...
    } else {
        // Handle invalid input (e.g., show an error message)
    }
}
  4. Reject invalid input: Do not call TimeZone.of() with an invalid time zone string. Handle the error appropriately (e.g., show an error message to the user, use a default time zone, log the error).

  • Threats Mitigated:

    • Incorrect Time Zone Handling / Assumptions (Severity: High): Prevents the use of invalid time zone identifiers, which would lead to runtime errors or incorrect calculations.
    • Injection Attacks (Severity: Medium): Although less direct, validating input helps prevent potential issues if the time zone string were (incorrectly) used in other contexts.

  • Impact:

    • Incorrect Time Zone Handling / Assumptions: Risk reduced significantly (from High to Low).
    • Injection Attacks: Risk reduced (from Medium to Low).

  • Currently Implemented: Not implemented.

  • Missing Implementation: UserPreferences accepts free-form time zone strings without validation before using them with TimeZone.of(). The API endpoint for updating user profiles also lacks this validation.

Mitigation Strategy: Robust Parsing Error Handling (with kotlinx-datetime parsing functions)

  1. Identify parsing calls: Find all uses of kotlinx-datetime parsing functions like Instant.parse(), LocalDateTime.parse(), LocalDate.parse(), etc.
  2. try-catch blocks: Wrap every parsing call in a try-catch block: 
    try {
    val instant = Instant.parse(inputString)
    // ... use the instant object ...
} catch (e: DateTimeFormatException) {
    // Handle the parsing error
}
  3. Specific exception handling: Catch DateTimeFormatException specifically. You might also catch IllegalArgumentException if appropriate.
  4. Graceful error handling: Inside the catch block:
    • Log the error.
    • Provide a user-friendly error message (if applicable).
    • Return a default value or an error response (depending on the context).
    • Never allow an unhandled exception to propagate.

  • Threats Mitigated:

    • Parsing Errors with Malformed Input (Severity: Medium): Prevents unhandled exceptions from crashing the application or causing unexpected behavior.
    • Denial of Service (DoS) (Severity: Low): Mitigates the risk of DoS attacks that exploit unhandled parsing exceptions.

  • Impact:

    • Parsing Errors with Malformed Input: Risk reduced significantly (from Medium to Low).
    • Denial of Service (DoS): Risk reduced (from Low to Negligible).

  • Currently Implemented: Partially. EventService handles DateTimeFormatException when parsing event times from API requests.

  • Missing Implementation: ReportGenerator and DataImporter do not handle potential DateTimeFormatException when parsing date/time strings.

Mitigation Strategy: Input Validation (Pre-Parsing) - Before using kotlinx-datetime

  1. Identify parsing locations: As above, find all places where kotlinx-datetime parsing functions are used.
  2. Pre-parsing checks: Before calling Instant.parse(), LocalDateTime.parse(), etc., perform basic validation on the input string:
    • Length check: Limit the string length to a reasonable maximum.
    • Format check: Use regular expressions or string manipulation to verify the basic structure (e.g., presence of separators, correct number of digits). Example (for a simple ISO-8601 date): 
      val isoDateRegex = Regex("""^\d{4}-\d{2}-\d{2}$""")
if (isoDateRegex.matches(inputString)) {
    // Proceed with parsing
} else {
    // Handle invalid format
}
    • Range check: If possible, check that individual components (year, month, day) are within valid ranges.
  3. Reject invalid input: If the pre-parsing checks fail, reject the input before calling the kotlinx-datetime parsing function.

  • Threats Mitigated:

    • Parsing Errors with Malformed Input (Severity: Medium): Reduces the number of DateTimeFormatException by filtering out obviously invalid inputs.
    • Denial of Service (DoS) (Severity: Low): Helps prevent excessively long or complex inputs from causing performance issues.

  • Impact:

    • Parsing Errors with Malformed Input: Risk reduced (from Medium to Low/Medium).
    • Denial of Service (DoS): Risk reduced (from Low to Negligible).

  • Currently Implemented: Not implemented.

  • Missing Implementation: This is missing in all locations where kotlinx-datetime parsing functions are used: EventService, ReportGenerator, and DataImporter.