[Paraview] ParaviewWeb security

Sebastien Jourdain sebastien.jourdain at kitware.com
Mon Aug 15 11:14:57 EDT 2016 

Hi Sven,

We do take security seriously.  Several actions have been made to make the
exposed protocols more secured.
It is true, that legacy protocol like ParaViewWebPipelineManager does not
check for code injection. But that protocol is deprecated and will be
removed for the next ParaView release (5.2).

In the current ParaViewWebProxyManager we do check that the user is allowed
to create the given requested proxy.

@exportRpc("pv.proxy.manager.create")
    def create(self, functionName, parentId):
        """
        Creates a new filter/source proxy as a child of the specified
        parent proxy.  Returns the proxy state for the newly created
        proxy as a JSON object.
        """
        name = self.validate(functionName)

        if not name:
            return { 'success': False,
                     'reason': '"' + functionName + '" was not valid and
could not be evaluated' }

       [...]

Regarding the access outside of the --data-dir we are preventing the user
from listing any file outside of that directory

        if not currentPath.startswith(normBase):
            print "### CAUTION =========================================="
            print " Attempt to get to another root path ###"
            print "  => Requested:", relativeDir
            print "  => BaseDir:", normBase
            print "  => Computed path:", currentPath
            print "### CAUTION =========================================="
            currentPath = normBase

Although, it is true that we are not guarding the "open" function which is
a mistake and it will be address right away.

Regarding your question, ParaViewWeb tend to be deployed on secured
environments (intranet and/or behind firewalls) but could be deployed on
the internet if specific actions are taking care. The authentication should
be delegated to your infrastructure and your infrastructure should be
responsible of launching the ParaView process under the user privilege. Our
Python launcher is provided as an example and for quick demos in a secured
environment but can not be considered secured. Since we delegate the
launching and the authentication to your infrastructure, you should also
provide a mechanism to share in a secure way the secret key that was used
to launch your application. The goal of that secret key is to prevent any
user that could have guessed your session ID (endpoint URL) to connect to
your dedicated WebSocket.

Then, after that, we are assuming some kind of user responsibility as we
seems to trust them enough to use server side resources. Specially as they
can still bring down the machine by filling up the memory and/or using all
the CPU via complex geometry/pipeline processing. In which case, it will be
fairly hard to prevent such behavior.

Regarding your last question, we do not provide any commercial alternative
but we provide support which could be used to improve our current Open
source solutions to match your expectations or create new products which
will be your property.

Seb



On Sat, Aug 13, 2016 at 4:53 AM, Sven Kramer <svenkramer40 at gmail.com> wrote:

> I was wondering, if ParaviewWeb takes security concerns serious. Studying
> the server code, I found no measures against access to files outside of the
> specified --data-dir, against XSS or injection of arbitrary code in analogy
> to SQL injection.
>
> Would you consider ParaviewWeb secure when the server is open to anybody
> in the internet, or is its purpose only to be run within intranets behind a
> firewall? Assuming that ParaviewWeb has not undergone any security audits,
> are there any commercial alternatives?
>
> Thank you
> Sven
>
> _______________________________________________
> Powered by www.kitware.com
>
> Visit other Kitware open-source projects at http://www.kitware.com/
> opensource/opensource.html
>
> Please keep messages on-topic and check the ParaView Wiki at:
> http://paraview.org/Wiki/ParaView
>
> Search the list archives at: http://markmail.org/search/?q=ParaView
>
> Follow this link to subscribe/unsubscribe:
> http://public.kitware.com/mailman/listinfo/paraview
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/paraview/attachments/20160815/c0e2c04b/attachment.html>

More information about the ParaView mailing list