Today’s story is about security. At work, one of our big construction site is to move old SOAP webservices into modern RESTful webservices. One of these webservices’ job is to generate a personalized pdf for a user based on the id of their banking operation. Doing this was not trivial considering our architecture, but it was rather fun, and it came with extra fun because developers are left alone with themselves to decide how to do things with no site manager to supervise how the building is going to be. No plan, just build it. Developers are expected to be their own architects. So developers are also expected to communicate with each other on how they’re going to do things. Sometimes it leads to funny situations.
This is why software can be very fun sometimes, it looks like a big construction site where everyone is building their thing the way they want, and then people come after them examining, taking notes, and observing like savants “hmmm…we see them doing that a lot, maybe we could create a blueprint for that, like some kind of framework you know”. I always have this impression that the blueprint comes after the building, it’s very weird. Anyway, so you enjoy the fun of my story, here is the architecture I worked with today :
I am the PHP block, and the Java block is where the Rest webservices ..rest (what?). When the Java guys are done with their developments they deliver them to me and I plug my api to theirs. And today, they had done the pdf webservice but I realized, anyone could ask the pdf of anyone, there was no session control to check if the requested id belongs to the user who asks for it. So I said to the Java guy “Hey, could you check that they can only view their pdf, because I don’t have any way to do that control on my side?” This started what we could have played on a stage :
First on the chat
Java guy : But how can they get the id of someone else, they can only get their own id on the website.
Me : Yes, but it’s just a security measure.
Java guy : Yes, but I don’t understand where he would get the id of someone else.
Me : It’s just a safety measure. Anyone can get the pdf of anyone now. Don’t you see the problem here? (Dude, where’s your paranoia?)
Then he came over to my desk
Java guy : But..hum.. the private url is not accessible, how can they ask for the pdf of someone else?
Me : Because ! They just need the id to make the request, my url is public they don’t need your url.
Java guy : Yes. But…the private url is not accessible from outside, how can they make the request?
I got up, and moved to the architect’s desk dragging Java guy with me because I was out of arguments and patience (yes, we do still have an architect but he’s more an advisor/mediator to consult in these very situations)
Java guy to Architect : Yes. But…the private url is not accessible from outside, how can they make the request?
Architect : They can make the request from the web! Imagine he changes the id in the form, just from the id pattern. Or no matter how he generates it. Yes, there is a problem.
Java guy : …but the private url is not accessible !!!!
Me : but they don’t need your url !!!!
Architect : We don’t care about your url.
Several repeating the same thing later
Java guy : Ok I will check the session for you.
Me : Hmmrgh. Thanks. (“For me”, grmphh).
Oh-my-goodness! Yes I need to work a bit on my diplomacy skills. I thought being community friendly was enough but sometimes I don’t get those Java guys. It’s not the first time that one of them tells me blatantly “But where would they get someone else’s id?” “It’s not normal if he gets someone else’s id, why should we bother?”. And I can’t just come to them and say “Security, man!” They are the majority, the application is 70% Java, so I can point out problems but in the end it’s their decision, the Architect is the only one who can really make the decision. I guess, they’re just not as paranoid as me.
I had so many session problems, I know security leaks can come from anywhere and they will never be in a normal use case scenario, you have GOT to imagine them and be scared and make up plans to avoid whatever you imagined that doesn’t exist (yet).
You have got to be paranoid!