Set up some form of authentication for the Discovery editor #559
Comments
|
TBH I'm a little surprised the MDX playground itself is using eval... And allows cross-scripting in theory |
|
Password protecting staging is easy and we could do it without a problem. I wonder if the single route protection works given that this is a SPA (no server route request), and not directory based routing. Nevertheless, I would not be too worried about security at this point. The code will always remain on the client side, so any "malicious" code that the user writes will only affect them. Only once the code gets stored and sent to other users, there's the possibility of arbitrarily executing code. |
|
Got it, thanks. |
|
Yeah. It still gives me cold feet that that user can run whatever script, but I can't think of a case where this can be a big security problem as long as the executable code lives only on the client side. |
|
As of current implementation, no security issues with the editor itself and the envs are password protected by netlify. Closing. |
The discovery editor, in its current form, is unsafe to be deployed. While it won't make it to production as part of the sandbox, our staging environment is not password protected. And this editor could in theory be used for a code injection based attack.
My hunch is that trying to sanitize the user's input is a fools errand, so we could decide to either
Of course this relies on this assumption that a limited number of reliable people have access or knowledge of the credentials, and we deem that sufficient as a protection measure.
Thoughts @hanbyul-here @danielfdsilva ?
The text was updated successfully, but these errors were encountered: