Skip to content

Latest commit

 

History

History
43 lines (36 loc) · 2.61 KB

CONTRIBUTING.md

File metadata and controls

43 lines (36 loc) · 2.61 KB

Contributing to Sliver GUI

General

  • Contributions to core code must be GPLv3 (but not libraries)
  • If you'd like to work on a feature, please open a ticket and assign it to yourself
  • Changes should be made in a new branch
  • Please sign commits for any PR to master
  • Please provide meaningful commit messages
  • Ensure code passes existing unit tests, or provide updated test(s)
  • Please use TypeScript types whenever possible.
  • Try to keep PRs succinct to one feature/change/fix

Security

Electron is a security minefield, please adhere the following guidelines:

  • Never use eval(), .innerHTML, BypassSecurityTrustHtml(), or any other dangerous (e.g. string concatenation / string interpolation) methods when interacting with the DOM.
  • Never enable an unsafe- directive for active content source in the Content-Security-Policy (the only exception is style-src with has inline enabled, which Angular needs).
  • Never modify the default-src, it should always be set to none for any window or web context.
  • Never trust IPC messages originating from the renderer (i.e., sandbox) all messages must be validated using JSON Schema in addition to any parameter specific validation.
  • Never trust the user, applied in a common-sense way.
  • Never enable NodeIntegration in any window or web context, you MUST call native code via the IPC interface (including web workers, etc).
  • Avoid expanding the Content-Security-Policy
  • Secure by default, please ensure any contributed code follows this methodology to the best of your ability. It should be difficult to insecurely configure features/servers.
    • It is better to fail securely than operate in an insecure manner.
  • Avoid incorporating user controlled values when constructing file/directory paths. Ensure any values that must be incorporated into paths are properly canonicalized.
  • Never use homegrown or non-peer reviewed encryption or random number generation algorithms.
  • Whenever possible, use the following algorithms/encryption modes:
    • AES-GCM-256
    • ED25519
    • SHA2-256 / HMAC-SHA2-256 or higher (e.g. SHA2-384)
    • ChaCha20Poly1305
  • Never use the following in a security context, and avoid use even in a non-security context:
    • MD5
    • SHA1
    • AES-ECB
    • AES-CBC, AES-CTR, etc. -without use case justification
  • math.rand should never be used to generate values related to a security context.
  • Always apply the most restrictive file permissions possible.