Coronium Core security question

Develephant · January 18, 2018, 8:20pm

Hi,

The users module uses MySQL, where as the core.data module is Mongo. There is no access to the users through any of the database methods.

If you wanted to build your own user system, you would want to do that with a custom server-side api. The core.users module should be able to handle most needs though.

I did do another security audit and patched up a few things in the 2.3.1 upgrade/release. At this time there is no way to manipulate any user based data except through the users module.

-dev

Benzeliden · January 18, 2018, 8:57pm

Hello,

I did tests by myself and realized that users module and users table in example have different users.

I interested is it possible to build login via facebook: I imagine I need to get userId and accessToken and post it to custom api. But on server side I need to create my own table (i.e. myCustomUsers) and then I will see no statistic on webmin/#/users

Benzeliden · January 18, 2018, 9:18pm

So finally I deleted my user from coronium using simulator, server address, key and scope:

local params = { db = "coronium", tbl = "cc\_users", where = "1=1" } core.mysql.delete(params, apiListener)

Can I somehow protect my users from deletion?

Develephant · January 18, 2018, 9:20pm

Hi,

That’s no longer possible with the new update: https://forums.coronalabs.com/topic/71527-coronium-core-version-231/

Additionally, it’s your responsibility to keep your server key safe.

-dev

Develephant · January 18, 2018, 9:24pm

Hi,

Also, when creating a user, you can add extra metadata which might be helpful when using Facebook Login.

https://develephant.github.io/coronium-core-docs/client/modules/users/creating/#basic-w-extra

-dev

Develephant · January 18, 2018, 9:35pm

Hi,

Unless you plan on starting with a fresh install of 2.3.1, you’ll need to follow these instructions to update your 2.3.0 install:

https://develephant.github.io/coronium-core-docs/server/updates/#230-to-231

Hope the helps.

-dev

Benzeliden · January 18, 2018, 9:40pm

Thanks, downloading it now

Benzeliden · January 18, 2018, 9:54pm

Hey, probably you want to protect ‘sys’ and ‘mysql’ databases too?

Also I vote for “whitelist” feature: specify whitelist of databases, that could be available from client. It will help to keep data safe

Benzeliden · January 18, 2018, 9:58pm

Sorry for a lot of messages, but you failed my security check again.

local params = { db = "mysql", tbl = "db", where = "1=1; USE coronium; delete from cc\_users;" } core.mysql.select(params, apiListener2)

Develephant · January 18, 2018, 11:07pm

Hi,

Thanks for the additional tests. I will look into a whitelist option and shore up the additional databases.

As it stands, without your source files, someone would have go through quite a lot of trouble just to remove your users.

-dev

Develephant · January 19, 2018, 3:33am

Hi,

This update should suppress client-side injections: https://develephant.github.io/coronium-core-docs/server/updates/#230-to-232

All system databases are now blacklisted. I will be reworking the database permissions in the near future as well.

-dev

Benzeliden · January 19, 2018, 8:20am

Thanks

I would like to have separate db user for client requests. So I will be sure that client can’t drop tables or do other harmful things

Develephant · January 19, 2018, 12:44pm

That is my plan, but I probably won’t get to it until next week.

-dev