Skip to content

Latest commit

 

History

History
41 lines (34 loc) · 5.82 KB

attack-surface.md

File metadata and controls

41 lines (34 loc) · 5.82 KB

Attack Surface Analysis for square/workflow-kotlin

Attack Surface: State Deserialization Vulnerabilities

  • Description: Workflow state is serialized for persistence and deserialized when workflows are resumed. Vulnerabilities in the deserialization process can lead to code execution or denial of service.
  • Workflow-Kotlin Contribution: workflow-kotlin manages workflow state serialization and deserialization internally. While Kotlin serialization is generally safer, misconfigurations or vulnerabilities in custom serialization logic (if used within workflow-kotlin context or extensions) can introduce risks. The library's state management directly relies on deserialization.
  • Example: A custom serialization mechanism is incorrectly configured within a workflow-kotlin application, making it vulnerable to deserialization attacks. An attacker crafts a malicious serialized state payload that, when deserialized by workflow-kotlin, executes arbitrary code on the server.
  • Impact: Remote Code Execution (RCE), Denial of Service (DoS).
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Use Secure Serialization Libraries: Rely on well-vetted and secure serialization libraries (like Kotlin Serialization as intended by workflow-kotlin). Avoid custom, potentially vulnerable serialization implementations within the workflow context.
    • Input Validation on Deserialized Data: Validate the integrity and expected structure of deserialized workflow state before using it in workflow logic. While workflow-kotlin handles this internally to some extent, ensure custom state handling or extensions also incorporate validation.
    • Regularly Update Dependencies: Keep workflow-kotlin and its serialization library dependencies up-to-date to patch known vulnerabilities.
    • Consider Signed Serialization: Implement mechanisms to sign serialized state to ensure integrity and prevent tampering, especially if custom state handling is involved.

Attack Surface: Data Injection via Worker Inputs/Outputs

  • Description: Workers interact with workflows by exchanging data. If worker inputs or outputs are not properly validated and sanitized, malicious data can be injected, leading to various attacks.
  • Workflow-Kotlin Contribution: workflow-kotlin workflows heavily rely on Workers for external interactions. The data flow orchestrated by the workflow framework between workflows and workers is a critical point where vulnerabilities can be introduced if not handled securely. workflow-kotlin's design necessitates this worker interaction, making it a key contributor to this attack surface in workflow-based applications.
  • Example: A worker receives user-provided input as part of its doWork function and passes it back to the workflow without sanitization. The workflow then uses this unsanitized data to construct a database query, leading to SQL injection. The workflow framework facilitates this data flow and potential vulnerability.
  • Impact: Cross-Site Scripting (XSS), SQL Injection, Command Injection, business logic bypass, data corruption.
  • Risk Severity: High
  • Mitigation Strategies:
    • Input Validation and Sanitization: Thoroughly validate and sanitize all data received by workers (inputs) and data passed back to workflows (outputs). Apply context-appropriate encoding and escaping at the worker level and within workflow logic that processes worker results.
    • Principle of Least Privilege for Workers: Grant workers only the necessary permissions to access external resources. Avoid running workers with overly broad privileges. This limits the impact if a worker is compromised or misused through data injection.
    • Secure Communication Channels: If workers communicate over a network, use secure communication protocols (e.g., TLS/SSL) to protect data in transit. This is relevant if workflow-kotlin is used in a distributed worker setup.
    • Output Encoding: Encode worker outputs appropriately before using them in contexts where they could be interpreted as code (e.g., in web pages, database queries, system commands) within the workflow logic.

Attack Surface: Insecure Workflow State Persistence

  • Description: Workflow state, potentially containing sensitive data, is stored in a persistent storage. If this storage is not properly secured, it becomes an attack surface.
  • Workflow-Kotlin Contribution: workflow-kotlin inherently relies on state persistence to manage long-running workflows. The library's core functionality mandates state persistence, making the security of this storage a direct and critical concern for applications built with it.
  • Example: Workflow state is stored in a database with default credentials or without proper access controls. An attacker gains access to the database and reads sensitive user data stored within workflow states managed by workflow-kotlin.
  • Impact: Data breaches, confidentiality violation, potential data manipulation.
  • Risk Severity: High
  • Mitigation Strategies:
    • Secure Storage Configuration: Implement strong access controls, authentication, and authorization for the state persistence layer (database, file system, etc.).
    • Encryption at Rest: Encrypt workflow state data when it is stored persistently.
    • Regular Security Audits: Periodically audit the security configuration of the state persistence layer.
    • Principle of Least Privilege: Grant only necessary permissions to services and users accessing the state persistence layer. Ensure workflow-kotlin runtime environment also adheres to least privilege.