From 12d13f7be027712e2f42a61df2fb674dbd8148d8 Mon Sep 17 00:00:00 2001 From: Nick Sweeting Date: Fri, 3 Nov 2023 21:21:19 -0700 Subject: [PATCH] Updated Security Overview (markdown) --- Security-Overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Security-Overview.md b/Security-Overview.md index 49c2ccb..4d9522b 100644 --- a/Security-Overview.md +++ b/Security-Overview.md @@ -27,7 +27,7 @@ If you're importing private links or authenticated content, you probably don't w - any cookies / secret state present in a Chrome user profile or `cookies.txt` file may be [reflected in server responses and saved in the Snapshot output (e.g. in `headers.json`)](https://github.com/ArchiveBox/ArchiveBox/blob/dev/archivebox/extractors/headers.py) making it [visible in cleartext to anyone viewing the Snapshot](https://archive.sweeting.me/archive/1613417792.264667/headers.json), (don't use your personal Chrome profile for archiving or people viewing your archive can then authenticate as you!) - any secret tokens embedded in URLs (e.g. secret invite links, Google Doc URLs, etc.) will be visible on `archive.org` as the URLs are not filtered [when saving to `archive.org`](https://github.com/ArchiveBox/ArchiveBox/blob/dev/archivebox/extractors/archive_org.py#L46) (disable submitting to Archive.org entirely with `SAVE_ARCHIVE_DOT_ORG=False`) - the domain portion in archived URLs is [sent to a favicon service](https://github.com/ArchiveBox/ArchiveBox/blob/dev/archivebox/extractors/favicon.py#L43) in order to retrieve an icon more reliably than a janky internal implementation would be able to (if leaking domains is a concern, you can disable the favicon fetching entirely with `SAVE_FAVICON=False`) -- [viewing malicious archived JS saved verbatim with the Wget extractor could allow an attacker to access your other archive items + the admin interface (viewed WGET-archived JS executes on the same origin as the admin panel right now, fix is pending, set `SAVE_WGET=False` to disable WGET saving entirely or avoid viewing WGET Snapshot output directly in a browser)](https://github.com/ArchiveBox/ArchiveBox/issues/239) +- [viewing malicious archived JS could allow an attacker to access your other archive items + the admin interface (JS executes on the same origin as the admin panel right now, fix is pending, set `SAVE_WGET=False SAVE_DOM=False` to disable the risky extractors entirely or avoid viewing their output directly in a browser)](https://github.com/ArchiveBox/ArchiveBox/issues/239)