dehydr8 / elevation-of-privilege Goto Github PK

After every player has passed, but before a new card has been drawn, the "Remove Threat" button is still clickable.
The UI suggests that everything is ok, but the threat does not get removed in this corner case.

I believe it is due to

if (hasPlayerPassed(G, ctx) || (threat.owner !== ctx.playerID)) {
  return INVALID_MOVE;
}

in deleteThreats() in moves.js. One is still at a point, where hasPlayerPassed() returns true.

We should disable the Remove Threats button in this case, like done e.g. with the Add Threat button.

The secrets in the route "/:game/:id/:secret" are not validated when a user enters the game. This is unfortunate, since one player can easily impersonate another player.

This also affects downloading the model json.

Maybe this is fixed by #69 ?

When you created a threat when playing elevation of privilege it automatically took the description off the card as the default description for the threat. It might be nice to also implement this for cornucopia.

This is defined in src/game/definitions.js

Give the possibility to choose between different playing modes:

• EoP
• OWASP Cornucopia

Cornucopia basically follows the same game flow as EoP, but might be better suited for threat modelling web applications.
These should just be UI changes (i.e. exchange images and make it configurable).

In the gameMode Cornucopia and when downloading the model JSON file, a threats have attributes like the following:

"methodology": "Data, Crypt, Sessn, AuthZ, AuthN, Cornu",
"type": "Tampering"

The methodology should maybe better be "Cornucopia" (although I am not sure what will happen when this is loaded with OWASP threat dragon....)

The type actually is the STRIDE type, i.e. it is the corresponding Elevation of Privilege category. So, this is wrong and probably comes from an incorrect mapping of the category names.

On the current master, the layout (i.e. vertical alignment) of several buttons is broken

When threat modelling, it is not strictly necessary to already come up with a mitigation. So, for some players it might be a unnecessary complication to have a mandatory mitigation field when entering a threat.

We should make this optional.

Dear @dehydr8

Thank you very much for this app. It is really awesome.

As this repository has been stale for quite some time now, I would like to ask you, what your future plans for this app will be? Currently, we are actively developing patches to the EoP game (including e.g. fixes to the open issues). Are you still actively maintaining this repo, such that we can submit our patches as pull requests? Otherwise, we would fork this repo and move development to the new place.

What do you think?

On the newest master version, the copy buttons on the create page "jump up" then clicked.

To avoid having long discussions for one single card, one can add a (configurable) timebox per card.

When dealing a card a countdown is shown. After this either the game should move on, or (as a radical alternative) all players auto-pass.

It should be configurable, how long and whether there is a timebox.

It would be nice to have F-Secure Elevation of Privacy as an additional card deck for threat modeling compliance with data protection.

Hi,

we played a round of this game in our team today with everyone being remote which makes things less dynamic to begin with. We then found it quite odd that it lets us play only Tampering cards. I think it'd be nicer if you could play any card you deem most relevant for your particular system so that the game picks up speed and excitement from the beginning.

Besides that it's a pretty cool implementation of the game 👍

For users that do not use Threat Dragon: Provide a method to download the threat list as a nicely formatted .txt file.

Currently, we are using react-scripts 4.0.3
This introduces a lot of security warnings

105 vulnerabilities (1 low, 93 moderate, 9 high, 2 critical)

There is a new version of react-scripts available: 5.0.0
This reduces the security warnings to

8 moderate severity vulnerabilities

However, this update introduces problems with jointjs. In particular, some imports are not found anymore.

The threat bar and leader bar seem to create large invisible divs that make the cards below non-clickable.

A rather old version of boardgame.io is used: 0.32.1.
Unfortunately, there are breaking changes when moving to a newer version, see the migration guide.

When trying to perform a naive upgrade, I ran into problems with a now missing ctx.actionPlayers (maybe because The flow section is gone.?).

When zoomed in/out dragging the model around skips when you start dragging

It can be very tedious to create a threat model json with threat dragon.

If a dedicated json model is not needed, it might be useful to have a simple default model (maybe just containing a single actor "application") such that threats can be collected in a simple way.

This is also beneficial when the game is accompanied by a video sharing session. Then the model (i.d. data flow diagram) can be a simple drawing.

The EoP cards are distributed, but not attributed correctly. These images are licensed under CC-BY-3.0. A link to the license and to the author should maybe be added

The limit for the names in the status bar, limits the length of the combined names rather than each one. This means that one long name can use up all the space, causing the other names to be cut off.

At the moment, I believe the game does not present the winner in a nice way.

Make it easier to distribute the links to the players:

• After each links: a button to copy the link to the clipboard
• Maybe: A button to copy the whole link table to the clipboard such that it can easily pasted into a chat. (Assuming you can trust the players such that they only use their own links :-P ).

In a game with 8 players the websocket connection did not work reliably. In particular, when adding threats the state was not updated for all players. The "Add threat"-modal did not disappear and the users were stuck. Reloading the page helped.

Workaround: The player adding the threat has to click "Save" before clicking "Save & Add".

When running the server there is a periodically appearing rejected Promise:

(node:8) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:8) UnhandledPromiseRejectionWarning: Error: EISDIR: illegal operation on a directory, read

There have been security updates for nodejs (see https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/). This means, we should update the used docker base images. For the server, the most recent version seems to be node:16.6.0-alpine3.14.

In the latest version of boardgame.io, the permitted origins must be provided.
At the moment this is set to the following in gameServer.js.

origins: [
    '*'
]

This would probably be better set up from a config file
This will also affect the deployment process

During playing the game, the wrong dealt card is shown and it does not get updated anymore until a new round starts.

On the newest master, there is a strange horizontal line that is only visible before the first card is played

Long player names move the leader board out of screen.

• Change it to a fainter grey?
• Maybe make the button vanish after it has been clicked?

All games start with AuthN3, but AuthN2 should also be available. Could it be that EoP's INVALID_CARDS also apply to Cornucopia?

Some of the tests aren't passing

threats-server | Public API serving at: http://localhost:8001/
threats-server | Internal API serving at: http://localhost:8002/
threats-server | Game server API (websocket) serving at: http://localhost:8000/

But nothing comes up in browser?!

At the moment the minimal number of players is three.
But for demonstration purposes it might be helpful to have a game with only two players

On current master, the deck contains the card E2 bu this is not visible. Maybe it's got something to do with B2 being in STARTING_CARD_MAP and INVALID_CARDS at the same time? Should INVALID_CARDS rather contain E2?

Are STARTIND_CARD_MAP and INVALID_CARDS correct for all suits?

They don't pass the renders without crashing test, I think the tests just need updating.

src/client/components/leaderboard/leaderboard.test.js

  ● renders without crashing

    TypeError: Cannot read property 'includes' of undefined

      14 |     let passed = this.props.passedUsers;
      15 |     function hasPassed(_idx) {
    > 16 |       return passed.includes(_idx.toString());
         |                     ^
      17 |     }
      18 |
      19 |

src/client/components/sidebar/sidebar.test.js

  ● renders without crashing

    TypeError: Cannot read property 'length' of undefined

      31 |   render() {
      32 |     let dealtCard = getDealtCard(this.props.G);
    > 33 |     const isLastToPass = this.props.G.passed.length === this.props.ctx.numPlayers-1 && !this.props.G.passed.includes(this.props.playerID)
         |                                              ^
      34 |
      35 |     return (
      36 |

It might be good to have an indication which user already passed in the current round. Similar to the played card, show to the other players which player clicked the Pass button.

When a player enters a threat, the other players only see the result when it is submitted. Maybe we could use the existing websocket to have kind of a live update for the other players while typing.

On the create page, the width of the form is rather small. It would be good to have it a little bit wider, such that the form's label word-wraped in a better way.
Also, for our prod env, the table with the player links is formatted strangely, such that the player names are cut off. This is because of the length of our production url and how it is wraped. This would also benefit from have more content width.

I already tried to quickly fix this, but it turns out the width is defined by bootstrap and it didn't work straightforwardly.

Hello!

I'm one of the Threat Dragon maintainers, and just learned of this awesome tool through an OWASP Kyiv video on YouTube. Threat Dragon is ramping up for it's 2.0 release, which will be using an entirely different drawing package (moving from JoinJS to Antv/x6). To date, we've been working hard to ensure that there aren't breaking changes in the JSON models, except for the drawing parts. Unfortunately, this looks like it will be a breaking change for this project. We do not have an exact ETA for the version 2 release at this time, but development has been underway for a while. The exact schema for the 2.0 models isn't finalized yet, however, they will likely have a version tag at the top level to help identify them from the 1.x versions.

My goal is to start a conversation and see if there's anything we can do to help the transition to 2.0 models. There will be a couple new shapes introduced in 2.0, possibly more in the future. The first thing that comes to mind as far as things we could do that might be helpful is possibly publishing Threat Dragon's shape definitions as a separate NPM package?

I'm very open to discussion and am here to help! Cheers!

When playing the game with moderator, it is beneficial if there is a special spectator mode, such that the moderator does not have to participate actively in the game.

The dockerfiles recently got updated to node17.
This cut off support for old algorithms (see the release notes).
In our particular case, the problem is react-scripts that depends on an too-old version of webpack. See this discussion.

To make the app buildable with node17, the flag --openssl-legacy-provider was added to the client.dockerfile.

As soon as the new version of react-scripts is released, this flag should be removed again.

some variables are declared but never used

When running npm audit a large number of vulnerabilities are found (even quite a few critical).

Relates to #69

It might be useful to use an image instead of a fully fledged threat-dragon model.

After switching the base image for the heroku docker container to alpine, the heroku deployment fails (see https://travis-ci.org/github/dehydr8/elevation-of-privilege/jobs/773068262)

It seems that building the container already fails when pulling the alpine image from the registry

$ docker build -f heroku/Dockerfile -t $REPO:$COMMIT .
Sending build context to Docker daemon  17.97MB
Step 1/14 : FROM alpine:3
3: Pulling from library/alpine
540db60ca938: Pulling fs layer
error pulling image configuration: unexpected EOF
The command "docker build -f heroku/Dockerfile -t $REPO:$COMMIT ." exited with 1.

Locally, the docker command runs just fine for me. @dehydr8 Do you have any idea?

Hi,

I just discovered this implementation and I like it very much. Nice work!

The only thing I was wondering is whether it is possible to preview a card in the deck before actually playing it (now clicking the card immediately plays it). This would allow players to read the contents of a card before playing it.