Security hardening

[carlosame]

The security and privacy aspects of this project could be improved in several fronts:

1. Enable optional resource limits intended for the processing of untrusted documents.

2. Identify potentially insecure parts of a document, for example resource-intensive selectors or privacy-challenging attribute selectors. This could be achieved while processing the SVG or through external tools (like an improved version of AntiSamy).

3. Migrate to a different security model. The security model currently used by this project is problematic and I'd like to switch to a model closer to CSS4J's model. Done by commit e92d319.

4. Create a SECURITY.md file with security and privacy considerations. Done by e92d319.

[carlosame]

The last two points of this issue were done in e92d319 (shipped in version 0.3).

KeenWrite uses SpotBugs and OWASP, which may also prove useful for EchoSVG.

buildscript {
  repositories {
    mavenCentral()
    maven {
      url "https://plugins.gradle.org/m2/"
    }
  }
  dependencies {
    classpath 'org.owasp:dependency-check-gradle:8.2.1'
    classpath "com.github.spotbugs.snom:spotbugs-gradle-plugin:5.0.14"
  }
}

plugins {
  // ...
  id "com.github.spotbugs" version "5.0.14"
}

spotbugs {
  excludeFilter.set(
      file("${projectDir}/bug-filter.xml")
  )
}

apply plugin: 'org.owasp.dependencycheck'

This allows the build to fail for any issues raised by SpotBugs. Tweaking the bug-filter.xml file provides fine-grained control over what issues to ignore.

<?xml version="1.0" encoding="UTF-8"?>
<FindBugsFilter>
  <Match>
    <Or>
      <Bug code="EI, EI2" />
    </Or>
  </Match>

  <Match class="com.keenwrite.preview.HighQualityRenderingHints">
    <Method name="initializeRenderingHints" />
    <Bug code="WMI" />
  </Match>

  <Match class="com.keenwrite.processors.HtmlPreviewProcessor">
    <Method name="&lt;init&gt;" />
    <Bug code="ST" />
  </Match>
</FindBugsFilter>

[carlosame]

Thanks for the suggestion, Dave: I just committed the support for the org.owasp.dependencycheck plugin (although @dependabot already provides much of that functionality). However I don't think that I'll do the same with the SpotBugs plugin because it adds a maintenance burden (even for people that may contribute PRs in the future).

I run SpotBugs from the Eclipse IDE and already fixed a number of the issues found by it, but there are still several non-security issues that SpotBugs is reporting. Given that this project already runs a CodeQL scan for every commit (apart from periodic runs), I don't think that adding a SpotBugs task would be worth the effort.

[carlosame]

I can't close tickets; feel free to close.

This is basically a meta-issue about security, I'm keeping it open.