Security Checks on Aurora
On this page, I am documenting down various checks that have been put in place on Aurora. Hoping that in future it may help others figure out loopholes in the system.
For this, we automatically add headers in each response using .htaccess file
We also escape all $_POST and $_GET variables in each request. Aurora doesn't use other http methods.
We don't do an explicit CSRF check but use cookie policies to safeguard the user. We set cookie's samesite param to Lax, ensuring cross-site requests will not have session information. Thus, mitigating the risk of CSRF. We also mark our cookies as HTTP only. Thus, making them inaccessible in JavaScript Document.cookie to prevent XSS attacks.
Since we started using docker secrets to store MySQL credentials and also the fact that users can run any code on our system. We needed to protect these credentials. Otherwise, the user can execute a program to get all env variables to get this information. For this, before executing any user's program, we modify the permission for the files in /run/secrets location to be readable only by the root user.
We run all user submitted code by an unprivileged account. This helps in protecting certain sensitive files like the ones where all correct answers are stored. We also limit the max number of processes this user can spawn to 100. This protects against fork bombs.
Finally, we run the program for a limited period after that we kill all processes that might have been spawned by this user to stop any long-running program.
If you feel that I missed out on certain necessary checks, please raise an issue. I will solve it on priority.