Skip to content

Latest commit

 

History

History
134 lines (109 loc) · 9.32 KB

mitigations.md

File metadata and controls

134 lines (109 loc) · 9.32 KB

Mitigation Strategies Analysis for ibireme/yytext

Mitigation Strategy: Attribute Whitelisting

  • Description:

    1. Identify Required Attributes: Create a list of YYText attributes (font, NSAttributedString.Key, color, size, links, attachments, custom attributes, etc.) that are essential.
    2. Create a Whitelist: Define a data structure (e.g., a Set<NSAttributedString.Key> or an enum in Swift) containing only the allowed attribute keys.
    3. Validation Function: Implement a function that takes a YYText object, NSMutableAttributedString, or NSAttributedString as input. This function should:
      • Use enumerateAttributes(in:options:using:) to iterate through all attributes.
      • For each attribute, check if its NSAttributedString.Key is in the whitelist.
      • If not in the whitelist, remove the attribute using removeAttribute(_:range:) on a mutable copy.
      • If in the whitelist, perform additional value validation (e.g., URL format for link attributes using YYTextUtilities or custom logic).
    4. Integrate Validation: Call this function before setting any user-supplied content to a YYTextView, YYLabel, or any other YYText component. This is crucial: validate before the potentially malicious content is processed by YYText.
    5. Regular Review: Periodically review the whitelist.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) (Severity: High): Prevents injection of malicious attributes (e.g., those with JavaScript in a javascript: URL within a link).
    • Data Exfiltration (Severity: High): Restricting attributes can prevent embedding hidden data.
    • Denial of Service (DoS) (Severity: Medium): Limiting complex attributes can help prevent DoS.
    • Phishing (Severity: High): Controlling link attributes reduces phishing risks.

  • Impact:

    • XSS: Significantly reduces risk (80-90%).
    • Data Exfiltration: Moderate reduction (50-70%).
    • DoS: Minor to moderate reduction (20-40%).
    • Phishing: Significant reduction (70-80%).

  • Currently Implemented: Partially. TextEditorViewController has a basic whitelist for font styles, but it's incomplete and lacks value validation.

  • Missing Implementation:

    • ChatViewController: No attribute whitelisting.
    • ProfileViewController: No whitelisting.
    • Network data parsing: No validation before creating YYText objects.

Mitigation Strategy: Attachment Handling (Strict, YYText-Specific)

  • Description:

    1. Disable Attachments (If Possible): If not essential, disable YYText attachment support entirely. This is the most secure approach. This often involves not using YYText features that inherently support attachments.
    2. Type Validation (Magic Numbers): If attachments are required, and you are using YYText's attachment handling:
      • Create a whitelist of allowed MIME types.
      • Before creating a YYTextAttachment (or equivalent), read the first few bytes of the attachment data.
      • Compare the magic number against a known list for the allowed MIME types. Do not rely on file extensions.
      • Only create the YYTextAttachment if the magic number matches. Reject the attachment otherwise.
    3. Size Limits: Before creating a YYTextAttachment, check the size of the attachment data. Enforce a maximum size before processing.
    4. Content Scanning (Pre-Attachment Creation):
      • Integrate with a malware scanning service.
      • Send the attachment data to the service before creating a YYTextAttachment.
      • Only create the YYTextAttachment if the scan is clean.
    5. Sandboxing (If using YYText's display): If using YYText to display attachments, and you cannot use a separate sandboxed view, be extremely cautious. Consider:
      • Limiting the types of attachments that YYText will render directly.
      • Disabling any interactive features associated with attachments.
    6. Avoid Direct Execution: Never directly execute or open attachments.

  • Threats Mitigated:

    • Remote Code Execution (RCE) (Severity: Critical): Prevents execution of malicious code in attachments.
    • Malware Infection (Severity: Critical): Scanning prevents infection.
    • Denial of Service (DoS) (Severity: High): Size limits prevent DoS.
    • Data Exfiltration (Severity: High): Type validation and sandboxing help.

  • Impact:

    • RCE: Near-complete mitigation (95-99%) if all steps are followed.
    • Malware Infection: Very high reduction (90-95%) with scanning.
    • DoS: High reduction (80-90%).
    • Data Exfiltration: High reduction (70-80%).

  • Currently Implemented: Size limits in AttachmentUploadService, but type validation is based on file extensions only. No scanning or sandboxing.

  • Missing Implementation:

    • Type Validation (Magic Numbers): Completely missing.
    • Malware Scanning: No integration.
    • Sandboxing: Attachments displayed directly in YYText without isolation.

Mitigation Strategy: ReDoS Prevention (for YYText-Related Regexes)

  • Description:

    1. Identify Regular Expressions: List all regular expressions used in conjunction with YYText. This includes:
      • Regexes used for YYText's highlighting features (if you configure them).
      • Regexes you use in your code to process or extract data from YYText content.
    2. ReDoS Analysis: Use a tool like regex101.com (with ReDoS checker) or a library to analyze each regex.
    3. Rewrite Vulnerable Regexes: Rewrite vulnerable regexes to be safer.
    4. Input Length Limits: Set maximum lengths for text input that will be processed by regexes related to YYText. This is crucial before passing the text to YYText or using it in regex operations on YYText content.
    5. Timeouts: Implement timeouts for regex matching when interacting with YYText. Use NSRegularExpression's withTimeout (or equivalent) when working with YYText content.
    6. Testing: Test thoroughly with various inputs.

  • Threats Mitigated:

    • Denial of Service (DoS) (Severity: High): ReDoS attacks can cause unresponsiveness.

  • Impact:

    • DoS: High reduction (80-90%).

  • Currently Implemented: No ReDoS prevention. Regexes are used for highlighting, but not analyzed.

  • Missing Implementation:

    • ReDoS Analysis: No analysis.
    • Regex Rewriting: Not done.
    • Input Length Limits: No limits for text processed by regexes related to YYText.
    • Timeouts: No timeouts.

Mitigation Strategy: Secure Link Handling (within YYText)

  • Description:

    1. URL Validation (Strict, Before YYText):
      • Use URLComponents.
      • Scheme Whitelist: Before creating a YYText link attribute, only allow https://. Reject others.
      • Domain Validation: Validate the domain (whitelist or blacklist). Consider homograph attack detection.
      • Path/Query Validation: If possible, validate.
    2. Link Confirmation (If using YYText's link handling): If you are relying on YYText to handle link taps, consider a confirmation dialog showing the full URL. This is less direct control, but adds a layer of user awareness.
    3. javascript: URL Blocking (Absolute): Before creating a link attribute in YYText, explicitly check for and block javascript:.
    4. Custom Link Handling (Recommended): Instead of relying on YYText's default link handling, implement your own link tap handling using YYTextViewDelegate or YYLabelDelegate. This gives you complete control over what happens when a link is tapped. Within your custom handler:
      • Re-validate the URL.
      • Display a confirmation dialog.
      • Open the URL securely using UIApplication.shared.open.
    5. Noopener/Noreferrer (If using YYText to open in a webview): If, for some reason, you are using YYText to open links in a webview, ensure rel="noopener noreferrer" is set.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) (Severity: High): Preventing javascript: URLs and validating others.
    • Phishing (Severity: High): Validation and confirmation.
    • Malware Download (Severity: High): Controlling URLs.

  • Impact:

    • XSS: Very high reduction (90-95%).
    • Phishing: High reduction (70-80%).
    • Malware Download: Moderate reduction (50-60%).

  • Currently Implemented: Basic URL validation (checks for http:// or https://), but no domain validation, no confirmation, and javascript: is not blocked.

  • Missing Implementation:

    • Strict Scheme Whitelist: Only https://.
    • Domain Validation: Missing.
    • Link Confirmation: Missing.
    • javascript: URL Blocking: Critically missing.
    • Custom Link Handling: Not implemented; relying on YYText's default.
    • Noopener/Noreferrer: Not used.