Tiddler Jail
166 views
Skip to first unread message
h0p3
Dec 9, 2018, 3:11:58 AM12/9/18
to TiddlyWiki
Is there an idiomatic way to safely import tiddlers from a stranger into a jail or sandbox in my wiki? Is there a way to automatically quarantine a tiddler (say based upon its tags) so that it has no ability to write to the rest of the wiki or perhaps do anything more programmatic than link and use basic TW markup? If at all, how much more dangerous is this problem for me if I'm running a tool like Bob (which may have access to my command line)?
Jed Carty
Dec 9, 2018, 5:03:39 AM12/9/18
to TiddlyWiki
First to actually answer your question, not really, but it probably isn't as bad as you think. From importing there is almost nothing that a tiddler can do other than change the display properties of your wiki by adding css and view templates. There is plenty you can do with those two things but it isn't the end of the world. And the Bob command line scripts need to be listed explicitly in the settings before they can be used to protect against exactly what you are describing. It isn't perfect but it is in almost all situations good enough.
And now a long winded reply that has a bit more explanation, if you want it.
This doesn't cover things like the TriggerActions plugin I made, which can change the wiki in response to many different changes to the state after it is installed, but that uses a known tag.
We could create a safer import option that detects these tags and changes them, probably by adding a prefix like QUARANTINE- to the start of the tag, which would cover almost all times when an imported tiddler could break the wiki. We probably want to include css into that because you can do some sneaky things with css.
In terms of Bob specifically you bring up a good point. For the secure server version I have online you have to explicitly give access to a logged in person to run scripts and I have it disabled for everyone, but it also needs to have per-wiki controls for the same logged in person so that we can make sandboxed wikis that are at least somewhat protected against malicious code. I am currently working on adding the same sort of access controls to the normal Bob versions so one solution to what you are describing would be to create a new wiki using the imported tiddlers and not giving that wiki any permissions to access the outside world.
It would take a bit of work to do it well but I think that it may be worth while task. The server images plugin I made already intercepts imported tiddlers and changes them so it wouldn't be a terribly large task to have it check the tags on the imported tiddlers against a list of potential problems and then modify them to be inert, but we would have to be careful to catch all of the tags and there may be other ways to cause trouble.
h0p3
Dec 9, 2018, 7:51:19 PM12/9/18
to tiddl...@googlegroups.com
I am always happy to hear from you, Jed. Even though I've spent a lot of time in my wiki, I'm still basically just a beginner. You are one of the gurus here that I am fortunate enough to have the chance to learn from. Thank you for such a solid answer (and I will gratefully take every scrap of knowledge you are willing to offer).
I have officially migrated to Bob today! I'm still pumping out them single files, but I'm loving this luxury (when I'm not broke as fuck, I will be donating, sir; it seems likely to me that your software is the future of developing TW, imho).
I do not intend to import from the wiki but from outside because Bob makes that a pleasant experience. I was thinking about writing a sanitization tool to strip (among other things) unacceptable tag, fields, CSS, and buttons before pushing .tid files into the tiddler directory, although I'm not sure what I will actually need to strip out for CSS. But, from the sounds of it, Bob's server images plugin may be a better tool.
I serve my wiki as a static index html file, and I aim to keep it that way. I intend to enable extended family, friends, and perhaps even strangers to safely write into my wiki (and to enable me to write in theirs if they so choose) through some kind of P2P or Federated network (resilio sync, dat, IPFS, and tox are my primary contenders right now [why not all?]), but I may also scrape singlefile wikis. I'm still not sure how I want to do it, especially since I'm brand new to Bob (it appears there are many ways to do this using Bob, and I may not have the best one). This is the fuzzy idea so far. TWederation based on something like DHT (where the key rather than control of a domain name) is what I'm shooting for. Again, Bob looks like the way forward, even though I clearly have no idea what I'm doing.
I have officially migrated to Bob today! I'm still pumping out them single files, but I'm loving this luxury (when I'm not broke as fuck, I will be donating, sir; it seems likely to me that your software is the future of developing TW, imho).
I do not intend to import from the wiki but from outside because Bob makes that a pleasant experience. I was thinking about writing a sanitization tool to strip (among other things) unacceptable tag, fields, CSS, and buttons before pushing .tid files into the tiddler directory, although I'm not sure what I will actually need to strip out for CSS. But, from the sounds of it, Bob's server images plugin may be a better tool.
I serve my wiki as a static index html file, and I aim to keep it that way. I intend to enable extended family, friends, and perhaps even strangers to safely write into my wiki (and to enable me to write in theirs if they so choose) through some kind of P2P or Federated network (resilio sync, dat, IPFS, and tox are my primary contenders right now [why not all?]), but I may also scrape singlefile wikis. I'm still not sure how I want to do it, especially since I'm brand new to Bob (it appears there are many ways to do this using Bob, and I may not have the best one). This is the fuzzy idea so far. TWederation based on something like DHT (where the key rather than control of a domain name) is what I'm shooting for. Again, Bob looks like the way forward, even though I clearly have no idea what I'm doing.
Jeremy Ruston
Dec 10, 2018, 4:51:02 AM12/10/18
to tiddl...@googlegroups.com
Hi h0p3
> Is there an idiomatic way to safely import tiddlers from a stranger into a jail or sandbox in my wiki?
I've used a combination of techniques:
* Add a prefix to each title to ensure that tiddlers cannot overwrite core tiddlers. The prefix should also include an identifier for the import operation (e.g. `$:/imports/20181207235473/`)
* Add a prefix to all tags (e.g. `$:/safetag/`)
* Rename any `module-type` fields to `original-module-type`
* Rename any `plugin-type` fields to `original-plugin-type`
The precise steps you'll need to take will depend on the design of your wiki. In particular, you need to consider whether any filters you're using to select tiddlers might also pull in such imported tiddlers.
Best wishes
Jeremy
--
I am always a joy to hear from you, Jed. Even though I've spent a lot of time in my wiki, I'm still basically just a beginner. You are one of the gurus here that I am fortunate enough to have the chance to learn from. Thank you for such a solid answer (and I will gratefully take every scrap of knowledge you are willing to offer).
I have officially migrated to Bob today! I'm still pumping out them single files, but I'm loving this luxury (when I'm not broke as fuck, I will be donating, sir; it seems likely to me that your software is the future of developing TW, imho).
I do not intend to import from the wiki but from outside because Bob makes that a pleasant experience. I was thinking about writing a sanitization tool to strip (among other things) unacceptable tag, fields, CSS, and buttons before pushing .tid files into the tiddler directory, although I'm not sure what I will actually need to strip out for CSS. But, from the sounds of it, Bob's server images plugin may be a better tool.
I serve my wiki as a static index html file, and I aim to keep it that way. I intend to enable extended family, friends, and perhaps even strangers to safely write into my wiki (and to enable me to write in theirs if they so choose) through some kind of P2P or Federated network (resilio sync, dat, IPFS, and tox are my primary contenders right now [why not all?]), but I may also scrape singlefile wikis. I'm still not sure how I want to do it, especially since I'm brand new to Bob (it appears there are many ways to do this using Bob, and I may not have the best one). This is the fuzzy idea so far. TWederation based on something like DHT (where the key rather than control of a domain name) is what I'm shooting for. Again, Bob looks like the way forward, even though I clearly have no idea what I'm doing.
--
You received this message because you are subscribed to the Google Groups "TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com.
To post to this group, send email to tiddl...@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/3d497a41-50f4-4650-a14b-e1a6c6b82257%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
h0p3
Dec 10, 2018, 10:04:45 AM12/10/18
to TiddlyWiki
Awesome. Thank you! I'll need to think about the filtering issue. I do not know, but perhaps I will need to develop safer and more stringent filtering practices. The responsibility to safely import ultimately rests upon me, I realize.
Reply all
Reply to author
Forward
0 new messages