Suggestion: a developer friendly, secure API

[lukaszmakuch]

Hi! 👋

I'd like to thank everyone who has ever worked on this library, as it has helped me build things I wouldn't have built otherwise.

Because I like it so much, I must tell you that I noticed some security issues which I believe could be avoided if the API was simpler.

I'd like to propose adding a high-level API that makes our apps harder to hack. Here's how it'd look:

node = getTheOnlySignedNodeOrNull(xml, publicKey)

and

nodesArray = getSignedNodes(xml, publicKey)

You can read the rationale behind it in this blog post - Your XML security library is sabotaging your work. Here's what you can do about it. It's evident verifying signatures poses a real challenge. An example is described in a post titled Are XML Signatures secure?.

The current, low-level API doesn't have to be removed, so everything can be backward-compatible.

The new, safer API can be built on top of the existing one.

Should we help developers deliver secure solutions?

[djaqua]

Yes, I love this, personally, but I think it's worth having a discussion around making the high level API as flexible as possible. We're in the process of knocking out some real low-level pain points and potentially some redesign.

The API you're proposing is basically a facade over the package that ensures that clients successfully accomplish what they mean to, right?

CC @LoneRifle @cjbarth

[lukaszmakuch]

You're right @djaqua. What I'm proposing is a facade over the current API. I have actually implemented something like that for a client of mine so that reading "safe" data from XMLs is not a footgun.

I'd love to hear more about the ideas for the potential redesign. What are the goals you're aiming for with this redesign?

[cjbarth]

@djaqua @lukaszmakuch , how's this discussion going?

[lukaszmakuch]

@djaqua @lukaszmakuch , how's this discussion going?

I don’t have any updates.

[cjbarth]

Would either @djaqua or @lukaszmakuch like to propose such an API, either here or in a PR so that this can keep moving forward?

[djaqua]

@cjbarth & @lukaszmakuch -- check out #304
I think the Facade would easily and effectively knock out high level goals 1 & 2. I would be glad to donate the Facade I have made for my own use. It would take me an evening or two to clean it up and add JSDocs. But .... I don't want to start coding until we have a real serious discussion about where we want to take this project.

[LoneRifle]

Could we enable discussions on this repo? It would facilitate discourse better than GitHub Issues

[djaqua]

I have no idea how, but yes, I am most definitely in favor of that.

[djaqua]

Also, @cjbarth @LoneRifle do you guys use Microsoft Teams? I can't believe I'm about to say this, but ... I actually think its a pretty neat tool. Can do virtual conferencing, share and manage notes, create TODO lists, and lots of other project management stuff. I think we can collaborate for free, but if you guys hate it, then lets not use it. Just putting it out there as an option.

[djaqua]

Hi! wave

I'd like to thank everyone who has ever worked on this library, as it has helped me build things I wouldn't have built otherwise.

Because I like it so much, I must tell you that I noticed some security issues which I believe could be avoided if the API was simpler.

I'd like to propose adding a high-level API that makes our apps harder to hack. Here's how it'd look:

node = getTheOnlySignedNodeOrNull(xml, publicKey)

and

nodesArray = getSignedNodes(xml, publicKey)

You can read the rationale behind it in this blog post - Your XML security library is sabotaging your work. Here's what you can do about it. It's evident verifying signatures poses a real challenge. An example is described in a post titled Are XML Signatures secure?.

The current, low-level API doesn't have to be removed, so everything can be backward-compatible.

The new, safer API can be built on top of the existing one.

Should we help developers deliver secure solutions?

I didn't catch your security vulnerability reference until just now. Would you mind elaborating on how you simplified API suggestion would remedy that?