Security implications of loading custom reports

John Ralls jralls at ceridwen.us
Fri Oct 24 11:18:25 EDT 2014 

> On Oct 24, 2014, at 7:29 AM, Derek Atkins <warlord at MIT.EDU> wrote:
> 
> John Ralls <jralls at ceridwen.us> writes:
> 
>> On Oct 23, 2014, at 9:25 AM, Derek Atkins <warlord at MIT.EDU> wrote:
>> 
>>> John Ralls <jralls at ceridwen.us> writes:
>>> 
>>>>> I'm not sure this is possible in guile only. A report is written as
>>>>> a guile module. Loading the module already executes code
>>>>> (gnc:define-report). That code can be abused do bad things when
>>>>> loading a custom report.
>>>> 
>>>> Wow. That’s an incredible failure for something that’s promoted as an
>>>> application scripting language.
>>> 
>>> I'm not sure that people care about security when you're modifying your
>>> own application.  Similarly, emacs' e-lisp lets you get into pretty much
>>> any part of the application.  That's not considered a failure, either.
>>> It's a feature.
>>> 
>>> We could limit the "damage" by limiting which APIs are available.  But
>>> it's a turing-complete language so you could do anything.
>>> 
>>> I just don't see the reason to rework all this.  What's the threat
>>> you're trying to prevent (other than "broken report crashes the app --
>>> which we should fix by catching the exception).
>>> 
>> 
>> The threat is someone malicious installing a script either by phishing
>> the user or by gaining access to the user’s machine. Such a malicious
>> script wouldn’t be limited to crashing GnuCash: It can do anything any
>> program can do.
> 
> If someone breaks into your system in order to install a script they
> could do much worse than installing some bogus scheme in gnucash.  I
> just don't see this threat has serious.  It's more likely someone would
> install a browser plugin to upload all key-presses.

No one need break into your system. Simply promoting a "cool report" for download on the user list would be sufficient.

Roger, there are broader attacks possible, but most of the obvious targets like browsers are making it harder, so the bad guys will be looking for less obvious targets.

Regards,
John Ralls

More information about the gnucash-devel mailing list