Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update security best practices document #100814
Update security best practices document #100814
Changes from 1 commit
03c9bb8
3a91cbc
054518c
6cc48ac
1872fb2
2a5ae39
27349a7
e4213bd
b44c13c
9a4901f
195b5bc
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about including a section on threats here at the top (such as this), but it felt like that might be a bit too much info for our audience, who are mostly not security experts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see the text "RCE" is the linked pages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this one is a bit confusing. Colloquially we lump "Command injection" and "Code injection" together, referring to these types of attacks as "RCE". But OWASP doesn't have an RCE page.
I tried to imply this equivalency below where I stated:
Do you think there's a better / more clear way I could word this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: I'm applying this change but I am intentionally leaving out the extra "the". It will read:
At a minimum, implement a deny-list that prevents
__proto__
andprototype.constructor
from being used within object keys/values.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The sentence needs some tweaks, but not sure about the edit.
Is the last sentence about the Code app necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the tweaks are good.
As to the last sentence: I like that we have an example for this, and I think it's very useful because this is a complex topic that doesn't have much industry standard literature (such as an OWASP page). However, I wanted to also communicate that Kibana is not vulnerable, which is why I called it the "defunct" Code app.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything else here is a class of attacks, but Information Disclosure is a generic threat. I opted to leave this here as I think it's a good concern for folks to keep top-of-mind.