You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by GitBox <gi...@apache.org> on 2022/10/07 16:54:42 UTC
[GitHub] [skywalking-client-js] raboof commented on a diff in pull request #97: Add Security Notice

raboof commented on code in PR #97:
URL: https://github.com/apache/skywalking-client-js/pull/97#discussion_r990296243


##########
README.md:
##########
@@ -180,6 +180,23 @@ Vue.config.errorHandler = (error) => {
 }
 ```
 
+# Security Notice
+SkyWalking client-js agent would be deployed and running out of your datacenter. So, end users should notice the security issues.
+There are various kinds of telemetry relative data would be reported to backend separately or through your original HTTP requests.
+
+For HTTP requests, in order to implement **distributed tracing from the browser**, `sw8` HTTP header is going to be added 
+according to [Cross Process Propagation Headers Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/skywalking-cross-process-propagation-headers-protocol-v3/). 
+Meanwhile, client-js would report spans and browser telemetry data through [Trace Data Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/trace-data-protocol-v3/) and 
+[Browser Protocol](https://skywalking.apache.org/docs/main/next/en/protocols/browser-protocol/).
+
+For both cases, all of these data are reported from un-secured environment, users should at least
+1. Don't expose OAP server to the internet directly.

Review Comment:
   ```suggestion
   1. Not expose OAP server to the internet directly.
   ```



##########
README.md:
##########
@@ -180,6 +180,23 @@ Vue.config.errorHandler = (error) => {
 }
 ```
 
+# Security Notice
+SkyWalking client-js agent would be deployed and running out of your datacenter. So, end users should notice the security issues.
+There are various kinds of telemetry relative data would be reported to backend separately or through your original HTTP requests.
+
+For HTTP requests, in order to implement **distributed tracing from the browser**, `sw8` HTTP header is going to be added 
+according to [Cross Process Propagation Headers Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/skywalking-cross-process-propagation-headers-protocol-v3/). 
+Meanwhile, client-js would report spans and browser telemetry data through [Trace Data Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/trace-data-protocol-v3/) and 
+[Browser Protocol](https://skywalking.apache.org/docs/main/next/en/protocols/browser-protocol/).

Review Comment:
   ```suggestion
   In order to implement **distributed tracing from the browser**, an HTTP header with the name `sw8` will be added to HTTP requests
   according to [Cross Process Propagation Headers Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/skywalking-cross-process-propagation-headers-protocol-v3/). 
   `client-js` will also report spans and browser telemetry data through [Trace Data Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/trace-data-protocol-v3/) and 
   [Browser Protocol](https://skywalking.apache.org/docs/main/next/en/protocols/browser-protocol/).
   ```



##########
README.md:
##########
@@ -180,6 +180,23 @@ Vue.config.errorHandler = (error) => {
 }
 ```
 
+# Security Notice
+SkyWalking client-js agent would be deployed and running out of your datacenter. So, end users should notice the security issues.
+There are various kinds of telemetry relative data would be reported to backend separately or through your original HTTP requests.
+
+For HTTP requests, in order to implement **distributed tracing from the browser**, `sw8` HTTP header is going to be added 
+according to [Cross Process Propagation Headers Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/skywalking-cross-process-propagation-headers-protocol-v3/). 
+Meanwhile, client-js would report spans and browser telemetry data through [Trace Data Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/trace-data-protocol-v3/) and 
+[Browser Protocol](https://skywalking.apache.org/docs/main/next/en/protocols/browser-protocol/).
+
+For both cases, all of these data are reported from un-secured environment, users should at least

Review Comment:
   ```suggestion
   Because all of this data is reported from an unsecured environment, users should make sure to:
   ```



##########
README.md:
##########
@@ -180,6 +180,23 @@ Vue.config.errorHandler = (error) => {
 }
 ```
 
+# Security Notice
+SkyWalking client-js agent would be deployed and running out of your datacenter. So, end users should notice the security issues.
+There are various kinds of telemetry relative data would be reported to backend separately or through your original HTTP requests.
+
+For HTTP requests, in order to implement **distributed tracing from the browser**, `sw8` HTTP header is going to be added 
+according to [Cross Process Propagation Headers Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/skywalking-cross-process-propagation-headers-protocol-v3/). 
+Meanwhile, client-js would report spans and browser telemetry data through [Trace Data Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/trace-data-protocol-v3/) and 
+[Browser Protocol](https://skywalking.apache.org/docs/main/next/en/protocols/browser-protocol/).
+
+For both cases, all of these data are reported from un-secured environment, users should at least
+1. Don't expose OAP server to the internet directly.
+1. Set up TLS/HTTPs between browser and OAP server.
+1. Set up authentification(such as TOKEN based) for client-js reporting.
+1. Verify all fields in the HTTP headers and telemetry data mentioned above in case of malicious data. Attacker could embed executable Javascript in those fields, which could cause XSS or Remote Code Execution (RCE) issues.
+
+Please consult your security team before bringing this into your product env. Don't expose those OAP server IP/port(s) and URI without security audit.

Review Comment:
   ```suggestion
   Please consult your security team before introducing this feature in your production environment. Don't expose the OAP server's IP/port(s) and URI without a security audit.
   ```



##########
README.md:
##########
@@ -180,6 +180,23 @@ Vue.config.errorHandler = (error) => {
 }
 ```
 
+# Security Notice
+SkyWalking client-js agent would be deployed and running out of your datacenter. So, end users should notice the security issues.

Review Comment:
   ```suggestion
   The SkyWalking client-js agent would be deployed and running outside of your datacenter. This means when you introduce this component you should be aware of the security impliciations.
   ```



##########
README.md:
##########
@@ -180,6 +180,23 @@ Vue.config.errorHandler = (error) => {
 }
 ```
 
+# Security Notice
+SkyWalking client-js agent would be deployed and running out of your datacenter. So, end users should notice the security issues.
+There are various kinds of telemetry relative data would be reported to backend separately or through your original HTTP requests.
+
+For HTTP requests, in order to implement **distributed tracing from the browser**, `sw8` HTTP header is going to be added 
+according to [Cross Process Propagation Headers Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/skywalking-cross-process-propagation-headers-protocol-v3/). 
+Meanwhile, client-js would report spans and browser telemetry data through [Trace Data Protocol v3](https://skywalking.apache.org/docs/main/next/en/protocols/trace-data-protocol-v3/) and 
+[Browser Protocol](https://skywalking.apache.org/docs/main/next/en/protocols/browser-protocol/).
+
+For both cases, all of these data are reported from un-secured environment, users should at least
+1. Don't expose OAP server to the internet directly.
+1. Set up TLS/HTTPs between browser and OAP server.
+1. Set up authentification(such as TOKEN based) for client-js reporting.
+1. Verify all fields in the HTTP headers and telemetry data mentioned above in case of malicious data. Attacker could embed executable Javascript in those fields, which could cause XSS or Remote Code Execution (RCE) issues.

Review Comment:
   ```suggestion
   1. Validate all fields in the body of the HTTP headers and telemetry data mentioned above to detect and reject malicious data. Without such protections, an attacker could embed executable Javascript code in those fields, causing XSS or even Remote Code Execution (RCE) issues.
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org