Show More
| @@ -0,0 +1,148 b'' | |||||
|
|
1 | Security in IPython notebooks | |||
|
|
2 | ============================= | |||
|
|
3 | ||||
|
|
4 | As IPython notebooks become more popular for sharing and collaboration, | |||
|
|
5 | the potential for malicious people to attempt to exploit the notebook | |||
|
|
6 | for their nefarious purposes increases. IPython 2.0 introduces a | |||
|
|
7 | security model to prevent execution of untrusted code without explicit | |||
|
|
8 | user input. | |||
|
|
9 | ||||
|
|
10 | The problem | |||
|
|
11 | ----------- | |||
|
|
12 | ||||
|
|
13 | The whole point of IPython is arbitrary code execution. We have no | |||
|
|
14 | desire to limit what can be done with a notebook, which would negatively | |||
|
|
15 | impact its utility. | |||
|
|
16 | ||||
|
|
17 | Unlike other programs, an IPython notebook document includes output. | |||
|
|
18 | Unlike other documents, that output exists in a context that can execute | |||
|
|
19 | code (via Javascript). | |||
|
|
20 | ||||
|
|
21 | The security problem we need to solve is that no code should execute | |||
|
|
22 | just because a user has **opened** a notebook that **they did not | |||
|
|
23 | write**. Like any other program, once a user decides to execute code in | |||
|
|
24 | a notebook, it is considered trusted, and should be allowed to do | |||
|
|
25 | anything. | |||
|
|
26 | ||||
|
|
27 | Our security model | |||
|
|
28 | ------------------ | |||
|
|
29 | ||||
|
|
30 | - Untrusted HTML is always sanitized | |||
|
|
31 | - Untrusted Javascript is never executed | |||
|
|
32 | - HTML and Javascript in Markdown cells are never trusted | |||
|
|
33 | - **Outputs** generated by the user are trusted | |||
|
|
34 | - Any other HTML or Javascript (in Markdown cells, output generated by | |||
|
|
35 | others) is never trusted | |||
|
|
36 | - The central question of trust is "Did the current user do this?" | |||
|
|
37 | ||||
|
|
38 | The details of trust | |||
|
|
39 | -------------------- | |||
|
|
40 | ||||
|
|
41 | IPython notebooks store a signature in metadata, which is used to answer | |||
|
|
42 | the question "Did the current user do this?" | |||
|
|
43 | ||||
|
|
44 | This signature is a digest of the notebooks contents plus a secret key, | |||
|
|
45 | known only to the user. The secret key is a user-only readable file in | |||
|
|
46 | the IPython profile's security directory. By default, this is:: | |||
|
|
47 | ||||
|
|
48 | ~/.ipython/profile_default/security/notebook_secret | |||
|
|
49 | ||||
|
|
50 | When a notebook is opened by a user, the server computes a signature | |||
|
|
51 | with the user's key, and compares it with the signature stored in the | |||
|
|
52 | notebook's metadata. If the signature matches, HTML and Javascript | |||
|
|
53 | output in the notebook will be trusted at load, otherwise it will be | |||
|
|
54 | untrusted. | |||
|
|
55 | ||||
|
|
56 | Any output generated during an interactive session is trusted. | |||
|
|
57 | ||||
|
|
58 | Updating trust | |||
|
|
59 | ************** | |||
|
|
60 | ||||
|
|
61 | A notebook's trust is updated when the notebook is saved. If there are | |||
|
|
62 | any untrusted outputs still in the notebook, the notebook will not be | |||
|
|
63 | trusted, and no signature will be stored. If all untrusted outputs have | |||
|
|
64 | been removed (either via ``Clear Output`` or re-execution), then the | |||
|
|
65 | notebook will become trusted. | |||
|
|
66 | ||||
|
|
67 | While trust is updated per output, this is only for the duration of a | |||
|
|
68 | single session. A notebook file on disk is either trusted or not in its | |||
|
|
69 | entirety. | |||
|
|
70 | ||||
|
|
71 | Explicit trust | |||
|
|
72 | ************** | |||
|
|
73 | ||||
|
|
74 | Sometimes re-executing a notebook to generate trusted output is not an | |||
|
|
75 | option, either because dependencies are unavailable, or it would take a | |||
|
|
76 | long time. Users can explicitly trust a notebook in two ways: | |||
|
|
77 | ||||
|
|
78 | - At the command-line, with:: | |||
|
|
79 | ||||
|
|
80 | ipython trust /path/to/notebook.ipynb | |||
|
|
81 | ||||
|
|
82 | - After loading the untrusted notebook, with ``File / Trust Notebook`` | |||
|
|
83 | ||||
|
|
84 | These two methods simply load the notebook, compute a new signature with | |||
|
|
85 | the user's key, and then store the newly signed notebook. | |||
|
|
86 | ||||
|
|
87 | Reporting security issues | |||
|
|
88 | ------------------------- | |||
|
|
89 | ||||
|
|
90 | If you find a security vulnerability in IPython, either a failure of the | |||
|
|
91 | code to properly implement the model described here, or a failure of the | |||
|
|
92 | model itself, please report it to security@ipython.org. | |||
|
|
93 | ||||
|
|
94 | If you prefer to encrypt your security reports, | |||
|
|
95 | you can use this PGP public key: | |||
|
|
96 | ||||
|
|
97 | .. literalinclude:: ipython_security.asc | |||
|
|
98 | ||||
|
|
99 | Affected use cases | |||
|
|
100 | ------------------ | |||
|
|
101 | ||||
|
|
102 | Some use cases that work in IPython 1.0 will become less convenient in | |||
|
|
103 | 2.0 as a result of the security changes. We do our best to minimize | |||
|
|
104 | these annoyance, but security is always at odds with convenience. | |||
|
|
105 | ||||
|
|
106 | Javascript and CSS in Markdown cells | |||
|
|
107 | ************************************ | |||
|
|
108 | ||||
|
|
109 | While never officially supported, it had become common practice to put | |||
|
|
110 | hidden Javascript or CSS styling in Markdown cells, so that they would | |||
|
|
111 | not be visible on the page. Since Markdown cells are now sanitized (by | |||
|
|
112 | `Google Caja <https://developers.google.com/caja>`__), all Javascript | |||
|
|
113 | (including click event handlers, etc.) and CSS will be stripped. | |||
|
|
114 | ||||
|
|
115 | We plan to provide a mechanism for notebook themes, but in the meantime | |||
|
|
116 | styling the notebook can only be done via either ``custom.css`` or CSS | |||
|
|
117 | in HTML output. The latter only have an effect if the notebook is | |||
|
|
118 | trusted, because otherwise the output will be sanitized just like | |||
|
|
119 | Markdown. | |||
|
|
120 | ||||
|
|
121 | Collaboration | |||
|
|
122 | ************* | |||
|
|
123 | ||||
|
|
124 | When collaborating on a notebook, people probably want to see the | |||
|
|
125 | outputs produced by their colleagues' most recent executions. Since each | |||
|
|
126 | collaborator's key will differ, this will result in each share starting | |||
|
|
127 | in an untrusted state. There are three basic approaches to this: | |||
|
|
128 | ||||
|
|
129 | - re-run notebooks when you get them (not always viable) | |||
|
|
130 | - explicitly trust notebooks via ``ipython trust`` or the notebook menu | |||
|
|
131 | (annoying, but easy) | |||
|
|
132 | - share a notebook secret, and use an IPython profile dedicated to the | |||
|
|
133 | collaboration while working on the project. | |||
|
|
134 | ||||
|
|
135 | Multiple profiles or machines | |||
|
|
136 | ***************************** | |||
|
|
137 | ||||
|
|
138 | Since the notebook secret is stored in a profile directory by default, | |||
|
|
139 | opening a notebook with a different profile or on a different machine | |||
|
|
140 | will result in a different key, and thus be untrusted. The only current | |||
|
|
141 | way to address this is by sharing the notebook secret. This can be | |||
|
|
142 | facilitated by setting the configurable: | |||
|
|
143 | ||||
|
|
144 | .. sourcecode:: python | |||
|
|
145 | ||||
|
|
146 | c.NotebookApp.secret_file = "/path/to/notebook_secret" | |||
|
|
147 | ||||
|
|
148 | in each profile, and only sharing the secret once per machine. | |||
General Comments 0
You need to be logged in to leave comments.
Login now