Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security limitations and issues for TagUI #146

Closed
kensoh opened this issue Apr 28, 2018 · 2 comments
Closed

Security limitations and issues for TagUI #146

kensoh opened this issue Apr 28, 2018 · 2 comments
Labels
feature

Comments

@kensoh
Copy link
Member

kensoh commented Apr 28, 2018

Raising this issue on behalf of user email so that other users can benefit -

Currently, I've been tasked with conducting research on the security limitations/issues for TagUI, I would like to ask if there are any that you know of with regards to the tool.
@kensoh kensoh added the query label Apr 28, 2018
@kensoh
Copy link
Member Author

kensoh commented Apr 28, 2018
edited
Loading

I'll use below architecture diagram for TagUI to elaborate on this topic.

TagUI Flowchart

As TagUI and the foundation it is built on is open-source software, it means users can read the code of TagUI and all its dependencies to check if there is a security flaw or malicious code. This is an advantage compared to using commercial software that is closed-source, as users cannot see what is the code behind the software due to lack of visibility.

For open-source software, users and developers who spot security issues will raise the issues to the maintainers and work towards a fix. For commercial software, other ways such as tracking the http traffic or file system activities have to be deployed to infer on what the software is doing.

Following are links to the source code for TagUI and other open-source dependencies. You can dig through the source code for the other open-source dependencies below, or assume that security issues would have been spotted by users and fixed, as these projects are mature and have large user bases.

Following are more comments specific to TagUI for topic of security.

  • By design, TagUI does not send outgoing http traffic or send outgoing data, other than what the user is automating on, for example visiting a website. However, there is an upload option, when used, TagUI will go to an open-source service Hastebin that allows uploading of information to share via URL. This sends outgoing data of the automation execution log to that website and returns an URL to user so that user can share the output of the automation with his colleagues or friends.

  • TagUI allows running of automation files whether they are stored locally as a file on your laptop or computer, or if the file is an online URL. This means users should be cautious to run automation from online URLs unless they are sure that the online URL is a safe source and not doing something destructive. This can be checked by accessing the URL using a web-browser to see the automation steps performed in the online automation file.

  • TagUI comes with a web service, that can be used to trigger automation flows if TagUI is installed on a web-server. More details in Developers Reference section under API. The design minimizes security risk by not forcing users to turn on exec for their PHP configuration. This means execution of malicious commands cannot be injected through the web-service. Instead, the web-service works by using crontab to periodically check for automation requests. As part of this security review, webservice execution of online flows is now disabled by default so that malicious users cannot trigger an execution of a malicious flow hosted online.

  • TagUI has very powerful features, including the ability to run command line programs, Python code, R code, API calls, and ability to make changes to the local file systems. These features can become security risks if a malicious automation flow file is executed. Imagine TagUI as a tool, such as fire. In evil hands it can be used to do evil things at scale. In good hands, it can be used to solve pain points related to digital processes that are repetitive and huge in volume.

  • As TagUI can replicate what a normal human user can do on the computer, TagUI is restricted and compliant to the same security policies as the normal human user would be subjected to. For example, having to use a hardware token in order to access the laptop, or user password in order to login to the computer. Or having a 2FA hardware token in order to access confidential information from a web or enterprise application.

kensoh added a commit that referenced this issue Apr 28, 2018
@kensoh
#146 - disable webservice execution of online flows
255a8eb 
remove a potential security risk for webservice implementations of TagUI
kensoh added a commit that referenced this issue Apr 28, 2018
@kensoh
#146 - add section on security concerns and features
948247e
@kensoh kensoh closed this as completed Apr 28, 2018
@kensoh kensoh added feature and removed query labels Apr 28, 2018
@kensoh
Copy link
Member Author

kensoh commented Apr 28, 2018

The above security points had been committed to be part of
homepage readme doc - under developers reference -> security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kensoh