<div dir="ltr">Hi Sven,<div><br></div><div>We do take security seriously. Several actions have been made to make the exposed protocols more secured.</div><div>It is true, that legacy protocol like ParaViewWebPipelineManager does not check for code injection. But that protocol is deprecated and will be removed for the next ParaView release (5.2).</div><div><br></div><div>In the current ParaViewWebProxyManager we do check that the user is allowed to create the given requested proxy.</div><div><br></div><div><div>@exportRpc("pv.proxy.manager.create")</div><div> def create(self, functionName, parentId):</div><div> """</div><div> Creates a new filter/source proxy as a child of the specified</div><div> parent proxy. Returns the proxy state for the newly created</div><div> proxy as a JSON object.</div><div> """</div><div> name = self.validate(functionName)</div><div><br></div><div> if not name:</div><div> return { 'success': False,</div><div> 'reason': '"' + functionName + '" was not valid and could not be evaluated' }</div></div><div><br></div><div> [...]</div><div><br></div><div>Regarding the access outside of the --data-dir we are preventing the user from listing any file outside of that directory</div><div><br></div><div><div> if not currentPath.startswith(normBase):</div><div> print "### CAUTION =========================================="</div><div> print " Attempt to get to another root path ###"</div><div> print " => Requested:", relativeDir</div><div> print " => BaseDir:", normBase</div><div> print " => Computed path:", currentPath</div><div> print "### CAUTION =========================================="</div><div> currentPath = normBase</div></div><div><br></div><div>Although, it is true that we are not guarding the "open" function which is a mistake and it will be address right away.</div><div><br></div><div>Regarding your question, ParaViewWeb tend to be deployed on secured environments (intranet and/or behind firewalls) but could be deployed on the internet if specific actions are taking care. The authentication should be delegated to your infrastructure and your infrastructure should be responsible of launching the ParaView process under the user privilege. Our Python launcher is provided as an example and for quick demos in a secured environment but can not be considered secured. Since we delegate the launching and the authentication to your infrastructure, you should also provide a mechanism to share in a secure way the secret key that was used to launch your application. The goal of that secret key is to prevent any user that could have guessed your session ID (endpoint URL) to connect to your dedicated WebSocket.</div><div><br></div><div>Then, after that, we are assuming some kind of user responsibility as we seems to trust them enough to use server side resources. Specially as they can still bring down the machine by filling up the memory and/or using all the CPU via complex geometry/pipeline processing. In which case, it will be fairly hard to prevent such behavior.</div><div><br></div><div>Regarding your last question, we do not provide any commercial alternative but we provide support which could be used to improve our current Open source solutions to match your expectations or create new products which will be your property.</div><div><br></div><div>Seb </div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Aug 13, 2016 at 4:53 AM, Sven Kramer <span dir="ltr"><<a href="mailto:svenkramer40@gmail.com" target="_blank">svenkramer40@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>I was wondering, if ParaviewWeb takes security concerns serious. Studying the server code, I found no measures against access to files outside of the specified --data-dir, against XSS or injection of arbitrary code in analogy to SQL injection.<br><br></div>Would you consider ParaviewWeb secure when the server is open to anybody in the internet, or is its purpose only to be run within intranets behind a firewall? Assuming that ParaviewWeb has not undergone any security audits, are there any commercial alternatives?<br><br></div>Thank you<span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888">Sven<br></font></span></div>
<br>______________________________<wbr>_________________<br>
Powered by <a href="http://www.kitware.com" rel="noreferrer" target="_blank">www.kitware.com</a><br>
<br>
Visit other Kitware open-source projects at <a href="http://www.kitware.com/opensource/opensource.html" rel="noreferrer" target="_blank">http://www.kitware.com/<wbr>opensource/opensource.html</a><br>
<br>
Please keep messages on-topic and check the ParaView Wiki at: <a href="http://paraview.org/Wiki/ParaView" rel="noreferrer" target="_blank">http://paraview.org/Wiki/<wbr>ParaView</a><br>
<br>
Search the list archives at: <a href="http://markmail.org/search/?q=ParaView" rel="noreferrer" target="_blank">http://markmail.org/search/?q=<wbr>ParaView</a><br>
<br>
Follow this link to subscribe/unsubscribe:<br>
<a href="http://public.kitware.com/mailman/listinfo/paraview" rel="noreferrer" target="_blank">http://public.kitware.com/<wbr>mailman/listinfo/paraview</a><br>
<br></blockquote></div><br></div>