mike-goodwin / owasp-threat-dragon-desktop Goto Github PK

When running TD on Ubuntu Linux, if the 'About' selection is made from the 'Help' pull down then the About window is displayed without an OK button. This window can only be closed by right-clicking the window bar.

During testing of this app I've discovered an XSS flaw that can lead to RCE. Is there a secure/[private place I can post details of the issue?

For GUI driven tools being able to "see it" makes a big difference in how to evaluate it. It would be really helpful to have that to look at from the screenshot, I'm not going to to download it just to see it. Thanks!

1. Open Threat Dragon Desktop
2. File | New model
3. Add model title
4. Save button
5. Save “MyFile” (file is ok at this point)
6. File | Close
7. File | Save

8. Open MyFile.json
   

Expected result

• File contains an empty model
• Opening the file shows an empty model

Actual result

• File contains just the string 'null'
• Opening the file spins indefinately

The packaged electron application doesn't support copy/paste and other editing functions because the menu items and bindings need to be explicitly added. Reference: electron/electron#2591

The menu items and bindings need to be added in app/layout/shell.js to enable support for the said functions.

Hello.

Please digitally sign the Threat Dragon installer binaries.

Thank you,

Alfredo Hickman

Seems like report button is missing completely from latest macOS version.
(using macOS Mojave 10.14.3)

You have to manually right click on the app icon and quit in order to close the Electron window. I assume the desired behaviour is to quit when exiting the app.

The graph panel does not expand vertically when zoomed out leaving most of the diagram cut off.

Hi Mike,
I have the desktop version installed locally on my mac and for a few days when I want to see the model report, it shows me the blank summary, I can't find a way to see what's wrong.
When loading the project I get an error "Could not call remote function 'setFeedURL', check that the function signature is correct. Underlying error: could not get code signature for running application"
I can add threats, flows and anything but when entering by the reports option I get the following error message "[Error] Cannot read property" cells "of undefined." for each diagram included in the model.
Do you know what may be happening?
I can share the model in case you have any idea what may be happening.

@thomaskonrad reports:
Exception thrown, but cannot copy it:
When I open a model, an exception Uncaught Exception: Error: Command failed: 4294967295. Also, I cannot copy the exception so that I could easily post it here. It says System.Net.WebException: The remote server returned an error (500) Internal Server Error

Desktop version of Threat Dragon
Version 0.1.26
Mac OS 10.13.3 High Sierra
When the main screen is maximised, it is not possible to escape from this back to the desktop. The only way out is to bump the top of the screen

We get some console error messages when TD starts up. It is annoying and worrying for the user when these are briefly visible in the main application window. We need to either:

• fix the error + warning messages
  or
• stop them appearing on the main window

It may sound nit-picky, but not having standard keyboard shortcuts for closing window and application really stumps me every time I use the app...

The standard shortcut for closing a window on macOS in cmd-W, the standard shortcut for closing/terminating an application is cmd-Q - currently ThreatDragon uses cmd-F4 to close a window and cmd-W to "exit" the application.
In addition, macOS adds a standard "Windows" menu to the menubar, containing a "Close Window" item with shortcut cmd-W, which conflicts with the "Exit" item in the File/application menu added by ThreatDragon code.

I would therefore suggest the following changes (as per the attached patch):

• change keyboard shortcut for "Close Model" menu item to 'CmdOrCtrl+W' when platform == darwin
• change title for "Exit" menu item to "Quit" when platform == darwin
• change keyboard shortcut for "Exit"/"Quit" menu item to 'CmdOrCtrl+Q' when platform == darwin

Thanks for considering.

MenuItemChanges.patch.gz

The application gives an error (to do with autoupdate) on first run

It would be good if there was an CLI to Threat Dragon desktop, so that some functionality could be automated. At present this would probably just be 'generate a pdf report', but it may be useful in the future for other functions.

not sure you are aware of it or not but it's good to upgrade your required dependency to the latest stable version

Dependency-Check Report.pdf

The icon files cupcakes.icns, cupcakes.ico and cupcakes1024x1024.png should be moved to the content/icons directory. The icon locations updated for these paths and icons added to electron builder configuration in package.json.

I have 2 W10 64bit installations, actual version/patchlevel.
On both machines a window appears with error message when using TD 1.0.0
there is no C&P or change of window size :-(

... or I am very obtuse and cannot find it. Tried with both my own threat model as well as the demo one. Any tips?

Using the desktop version.

When a file is loaded that does not have valid json, the application waits for ever after parsing the file. This error needs to be caught and acted upon

Reproduce steps:

1. Create a new threat model
2. Add a new diagram
3. Save
4. Edit diagram
5. Add a process to the diagram
6. Hit command+s
7. Hit command+o, open the previously saved threat model
8. Edit diagram again

Expected behavior:
Diagram should contain one process

Actual behavior:
Diagram is empty

The OWASP project Cheat Sheets provides information on Threat Modeling :
https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
along with other cheat sheets on various defense topics.

Desktop version of Threat Dragon
Version 0.1.26
Mac OS 10.13.3 High Sierra
When entering the model information such as Title, Owner, Reviewer, etc, it is not possible to copy or paste into the text boxes in the edit window.
This may be linked to issue in owasp-threat-dragon-desktop repo that has been closed:
#39
@mike-goodwin : this is fixed in 0.1.27, I can create this download for MacOS if you like?

It would be good to have new set of release files for Windows and MacOS, as well as the linux distributions such as Debian and Fedora.

When a new model is being constructed and the save button is pressed. If the model is not saved, by hitting 'cancel' instead of 'save' in the dialog box, then all edits have been lost

I'm not able to get the Undo feature to work on OSX desktop version 1.1.0 from the "Edit" menu or with command z (⌘ Z).

Until we have code signing it seems better to temporarily disable squirrel updates, as these are interfering with the Windows application. Searches are being made to :

https://threatdragondownloads.azurewebsites.net/update/win32/1.0.0/releases

which does not yet exist in MS Azure. Until these do then squirrel should be disabled.

There is a branch for applying auto-updates using squirrel. It should be cross platform for Windows, MacOS and Linux.
File app/app.js has been modified to not use autoupdate via PR #102 because it was causing problems, but this modification can be undone when autoupdate is working:

//electron autoupdate
//Note: autoupdate has been disabled until this issue has been satisfied:
//      https://github.com/mike-goodwin/owasp-threat-dragon-desktop/issues/101
// app.run(['common', 'dialogs', 'electron', 'VERSION', require('./app/config.autoupdate')]);

npm audit

returns

• 4 high
• 8 moderate
• 16 low

security issues for version 0.5.1.

(But seems to be a great tool apart from this :-) )

Hi there,
nice project!
I saw that PR #100 adds reporting/PDF functionality to the Web app. It would be nice if the Desktop app also had that functionality.

Saving seems to work fine when the diagram only consists of dataflow objects. As soon as a threat is added, none of the save options work. The menu option displays a save file dialog even though the json file already exists and overwriting it removes the contents leaving just a JSON null. Using the button in the toolbar displays an on-screen error message which says "Cannot read property 'detail' of null". Removing the threat again does not get rid of the problem.
I am using the Desktop version 0.1.26 on MacOS 10.14.6

I tried to install on win10 64bit by running npm install, encounter errors, please advise:

> [email protected] postinstall C:\Users\xyz\Desktop\owasp-threat-dragon-desktop-master\node_modules\electron
> node install.js

Downloading tmp-2016-0-electron-v5.0.5-win32-x64.zip
Error: unable to get local issuer certificate
C:\Users\xyz\Desktop\owasp-threat-dragon-desktop-master\node_modules\electron\install.js:49
  throw err
  ^

Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
    at TLSSocket.emit (events.js:311:20)
    at TLSSocket._finishInit (_tls_wrap.js:916:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fs-xattr):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"!win32","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\electron-installer-redhat):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin,linux","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\electron-installer-debian):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin,linux","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\macos-alias):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\appdmg):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] postinstall: `node install.js`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] postinstall script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\xyz\AppData\Roaming\npm-cache\_logs\2020-02-28T20_16_19_366Z-debug.log```

Test coverage is not reaching the minimum 90% of functions

When running npm install there are warnings. These packages could be updated so that the warnings are reduced:

npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm WARN deprecated [email protected]: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

npm WARN notsup Unsupported engine for [email protected]: wanted: {"node":"0.10 || 0.12 || 4 || 5 || 6 || 7 || 8"} (current: {"node":"13.11.0","npm":"6.13.7"})
npm WARN notsup Not compatible with your version of node/npm: [email protected]

Instead of providing packages in DEB and RPM format, provide distribution independent packages in Appimage (and possibly Flatpak) format. No installation required (appimage).

Example: JITSI (online audio/video conferences) provides a desktop application based on electron and for linux is distrubuted as appimage (https://www.appimagehub.com/p/1248973/).

Dependabot has identified some packages that need to be updated, but this has to be done in sync with package-lock.json. Better to bundle the dependabot changes together and commit them as one PR
A new version of angular is available:
"angular": "1.7.9"
update from existing 1.7.8

Trust boundaries seem to crash the application when you go to change their shape. Unfortunately, it's very difficult to move a threat boundary without accidently changing its shape dramatically. As such, at least in my version, trust boundaries are unusable.

Version: 1.27.0 alpha
System: Windows 10
Repro:

• Add trust boundary to diagram
• Attempt to drag it from initial placement location
• The curve will try to recalculate itself and crash.

Any way I can submit logs? Willing to go digging if I have some direction.

At the moment auto-update is only supported for Windows and MacOSX, and it would be good to have this for Linux distros as well

I just played around a bit with Threat Dragon, and I ran into multiple issues. I'd like to summarize these here.

1. Having to save the model immediately: When creating a new model, I need to save it immediately. I'd prefer being able to play around with it before saving anything. So "Create New" instead of "Save" would be better IMHO.
2. Exception thrown, but cannot copy it: When I open a model, an exception Uncaught Exception: Error: Command failed: 4294967295. Also, I cannot copy the exception so that I could easily post it here. It says System.Net.WebException: The remote server returned an error (500) Internal Server Error.
3. Blank screen after creating model: When the model is saved, a blank screen with no interaction options appear. Took me a while to find out where to go from here.
4. The fact that I have to edit the model to add a diagram: That seems counter-intuitive to me. I'd put the diagrams into the edit view of the model, and only put metadata into the edit dialog.
5. I cannot drag whole trust boundaries: When I point at a trust boundary, the cursor indicates that I can drag and drop the whole boundary, but instead, a new point is added to the curve, which I then drag. I could not find out a way to move a whole trust boundary at once.
6. The protocol isn't shown in the Data Flow: There is no indicator which protocol is in use, or whether it's encrypted, although I can specify these properties.
7. Data Flow arrows are misaligned: The arrows seem to point towards the direct line between two objects, instead of the direction of the very last part of the curve. That makes it misaligned when it's curved.

I'm happy to provide more details in case anything is unclear.

The warning on the main window is probably no longer needed, as we should make any data model changes backwardly compatible.

Warning! Threat Dragon is still in early development (it is an OWASP incubator project) so it might have some bugs and the data model could change without warning, leaving you unable to open your threat models.

This is in file app/welcome/welcome.html. Note that the screenshot should also be updated at screenshots/welcome.png

On cloning and then npm install we get:

added 1537 packages from 1224 contributors and audited 8099 packages in 43.267s
found 58 vulnerabilities (17 low, 7 moderate, 32 high, 2 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

which should be fixed

During build of the installers, get warning message:
WARNING: Found 'electron' but not as a devDependency, pruning anyway
It seems that 'electron' should be in the devDependencies section rather than dependencies section.

When adding a description of a flow with spacing is out of wack.

When the 'Create a New Model' selection is made, and then the details of the model filled in, then on Save the model is saved but the Threat Dragon window is blank. Recovery is by closing the model from the Electron menu.
Tested on Windows, MacOS and Debian Linux
TD version : core 0.61, desktop 0.6.3
also on TD version : core 0.7.0, desktop 1.0
Error message: [ [Error] Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded

When saving a new file, no file extension is added. It is unclear what file extension should be added. When opening files, none appear available because they have no file extensions.

I am running this on Ubuntu 18.04 with the Nautilus file browser.

Hi,

The latest Mac package available for download from here is still v0.1.26. It looks like it wasn't updated like the other pages. Thanks

When I go to run the Report on a model (actually a group of models), the Diagrams are cropped so that the reader can't see the entire model.

I'm getting several red, brief, pop-up style warnings when running the Report. They appear to be identical and state "Error: cannot read property 'cells' of undefined".

I'm using version 1.2, on a MacBook Air running 10.14.6

If I open up a threat model and start editing it, then use the View->Reload function, I get the error message '[Error] path must be a string or a buffer' and the diagram title is stuck on 'Loading ...' with no components in the diagram editor pane. I am using version (0.1.26) direct from this repo on Trisquel linux.
This is not a big issue at all - it recovers and the error is noticable and avoidable ... but thought I should flag it.

Latest version on github cloned.
Created a new model and added components.
Added threats.
Closed model.
Opened so I could get to the Report feature.
Save PDF generated the pdf, but it is missing the threat information. I checked to included mitigated threats as well. I have a mix of mitigated and open; however, none of them showed up in the generated PDF.