Is it secure to grant online access AND editing rights for a TiddlyWiki?

session · May 9, 2024, 1:14pm

i use a setup on a server where i can grant permission to edit a html file like a TiddlyWiki . The permission can be granted to members of an online Network without sharing login informations. Permission could be granted by a token even to any body in the Internet. Before i communicate more about this setup i would like to ask a principle question:

If someone has access AND editing rights to a specific tiddler file e.g. provided by a token , what could this person do to other files on the server as well?
If a person has bad intentions could he/she inject bad code into this html TiddlyWiki file he/she has access to and harm other files on the server as well?

pmario · May 9, 2024, 9:41pm

TW can activate plugins, that are stored in a tiddler. So if you allow someone to edit tiddlers they can save plugins back to your server. The next time the server is started, a plugin done right can have access to the context where node.js has been started. So depending on which user starts node.js it could be the whole file-system.

So it depends on how you start your server. It also depends on how your token is generated, and which service generates and controls that token.

session · May 10, 2024, 8:21am

thanks @pmario
I’m not at all that kind of an IT expert so i have no knowledge and more imagination at that point…

The system i use asks for special privileges even for editing a css file… so the admin of the system has to “allow code” for an account if the account holder wants to edit html css files he/she hosts in the cloud storage of that account. There must be security reasons for that.

I run such a system as admin and i have to admit that i can´t estimate the potentate risks if i “allow code” for an account and what all can happen to the whole system if a person with bad intentions adds plugins with bad code to a tiddler. That’s way i’m asking…

jeremyruston · May 10, 2024, 9:11am

Hi @session

The reason that your administrators restrict the ability to save HTML files is subtle, and it’s the same reason that (for example) Dropbox allow you to save HTML files but won’t allow you to view them as HTML documents without downloading them.

The problem is that a webpage hosted at (say) https://example.com/users/jeremy/myfile.html can access all the cookies that have been stored against the domain https://example.com. These secure sharing systems generally use cookies to store the credentials of the current user. That means that an evil web page can steal those cookies and then impersonate the current user, perhaps performing evil actions as if they were them.

This is one of those situations where the original design of the web was inherently insecure, and fixing it has involved browsers significantly limiting what web pages can do.

As far as this issue is concerned, TiddlyWiki is just another HTML file, perhaps one carrying particular risk because it is designed to encourage users to extend it with plugins etc. TiddlyWiki cannot detect or prevent plugins that are evil; the best we’ve got is for users to be super cautious about installing untrusted code. For most users, all that is needed is an awareness of the problem, and a cautious approach to adopting plugins: sticking to those that are widely used and/or from a reputable source is a reasonable strategy.

pmario · May 10, 2024, 9:51am

It seems there is already sufficient separation between different accounts, if a user only can edit his or her own content.

From your first post I was assuming, that there is a client-server configuration, but reading that post again, that does not seem to be the case.

As Jeremy pointed out, it should be OK to allow access, if every wiki in 1 account belongs to the same user. Those users have to “trust” the plugins that they intend to use.

As always. Giving advice about security related questions is very hard, if you do not know the whole context and how the system works.

Hope that makes sense.

session · May 10, 2024, 12:12pm

Thanks…
so you basically confirm: to give access to a TiddlyWiki is just fine but giving also editing rights which go in hand with the right to install any kind of plugins is something which should be granted only to persons who can be trusted.

this should be kept in mind if you read on:

Since tiddlerhost does not seam to have an Access Control permission system where you can share access and editing right without sharing login information the system i use may be interesting for the TiddlyWiki community to have a look at.

i will post about in a separate thread

session · May 10, 2024, 12:30pm