Security concerns with z3-js boxes

[rlisahuang]

Now that we eval every z3-js snippet, the door to potential security attacks is opened.

A possible scenario I could think of is that someone forks this repo, changes some z3-js content to be malicious, and hosts it on a public github page. Visitors of that page could have their information stolen through such malicious content.

Pretty sure the official docusaurus website has some mechanism against it as there are executable and editable JS blocks too.

TODO:

• look into sandboxing / sanity checks that the built-in editor might provide.

[rlisahuang]

My understanding of the issue after speaking with a security researcher:

• The scenario mentioned above is a phishing attack, which is beyond our control and it is the browser that should ensure such attacks will not go through. So from our end there is no workaround for that.

• All our editors are read-only when first loaded. An editor only becomes editable after the user clicks Run to see the output of the input that comes with it. Therefore, modifications of code snippets can only be authored by the user themselves, not by us or any third-party. So we should be safe with this set up.

• If we are considering content sharing in the future, we should NOT do so through URLs embedded with code, e.g., "Check out the Z3-JS code I wrote: https://microsoft.github.io/z3guide/playground?code=I_will_ruin_your_life".

• We do have a threat model to be concerned about, related with any vulnerability comes with the z3-solver package. Users could be tricked into running z3-js code they do not understand that exploits the vulnerability to exfiltrate or manipulate data from the origin, i.e., microsoft.github.io.

  • However, this is also beyond our control.

• We are pretty safe already, but we can still be extra safe by doing the following:

  • Adding CSP to prevent XSS attacks
  • put the backend process that runs z3-js in an invisible iframe.

[pelikhan]

If you enable code sharing, you'll expose yourself to execute malicious javascript on microsoft.github.io domain