Entries from March 2009 ↓

Posted by Jad S. Boutros, Security Team

Building on our earlier posts on defenses against web application flaws ["Automating Web Application Security Testing", "Meet ratproxy, our passive web security assessment tool"], we introduce Automatic Context-Aware Escaping (Auto-Escape for short), a functionality we added to two Google-developed general purpose template systems to better protect against Cross-Site Scripting (XSS).

We developed Auto-Escape specifically for general purpose template systems; that is, template systems that are for the most part unaware of the structure and programming language of the content on which they operate. These template systems typically provide minimal support for web applications, possibly limited to basic escaping functions that a developer can invoke to help escape unsafe content being returned in web responses. Our observation has been that web applications of substantial size and complexity using these template systems have an increased risk of introducing XSS flaws. To see why this is the case, consider the simplified template below in which double curly brackets {{ and }} enclose placeholders (variables) that are replaced with run-time content, presumed unsafe.

<body>  <span style="color:{{USER_COLOR}};">    Hello {{USERNAME}}, view your <a href="{{USER_ACCOUNT_URL}}">Account</a>.  </span>  <script>    var id = {{USER_ID}}; // some code using id, say:    // alert("Your user ID is: " + id);  </script></body>

In this template, four variables are used (not in this order):

• USER_NAME is inserted into regular HTML text and hence can be escaped safely by HTML-escape.
• USER_ACCOUNT_URL is inserted into an HTML attribute that expects a URL and therefore in addition to HTML-escape, also requires validation that the URL scheme is safe. By allowing only a safe white-list of schemes, we can prevent (say) javascript: pseudo-URLs, which HTML-escape alone does not prevent.
• USER_COLOR is inserted into a Cascading Style Sheets (CSS) context and therefore requires an escaping that also prevents scripting and other dangerous constructs in CSS such as those possible in expression() or url(). For more information on concerns with harmful content in CSS, refer to the CSS section of the Browser Security Handbook.
• USER_ID is inserted into a Javascript variable that expects a number as it is not enclosed in quotes. As such, it requires an escaping that coerces it to a number (which a typical Javascript-escape function does not do), otherwise it can lead to arbitrary javascript execution. More variants may be developed to coerce content to other data types, including arrays and objects.

Each of these variable insertions requires a different escaping method or risks introducing XSS. To keep the example small, we excluded several contexts of interest, particularly style tags, HTML attributes that expect Javascript (such as onmouseover), and considerations of whether attribute values are enclosed within quotes or not (which also affects escaping).

Auto-Escape

The example above demonstrates the importance of understanding the precise context in which variables are being inserted and the need for escaping functions that are both safe and correct for each. For larger and complex web applications, we notice two related vectors for XSS:

1. A developer forgetting to apply escaping to a given variable.
2. A developer applying the wrong escaping for that variable for the context in which it is being inserted.

Considering the sheer number of templates in large web applications and the number of untrusted content they may operate on, the process of proper escaping becomes complicated and error prone. It is also difficult to efficiently audit from a security testing perspective. We developed Auto-Escape to take that complexity away from the developer and into the template system and therefore reduce the risks of XSS that would have ensued.

A Look at Implementation

Auto-Escape is a functionality designed to make the Template System web application context-aware and therefore able to apply automatically and properly the escaping required. This is achieved in three parts:

1. We determined all the different contexts in which untrusted content may be returned and provided proper escaping functions for each. This is part science and part practical. For example, we did not find the need to support variable insertion inside an HTML tag name itself (as opposed to HTML attributes) so we did not build support for it. Other factors come into play, including availability of existing escaping functions and backwards compatibility. As a result, part of that work is template system dependent.
2. We developed our own parser to parse HTML and Javascript templates. It provides methods which can be queried at a point of interest to obtain the context information necessary for proper escaping. The parser is designed with performance in mind, and it runs in a stream mode without look-ahead. It aims for simplicity while understanding that browsers may be more lenient than specifications, particularly in certain corner cases.
3. We added an extra step into the parsing that the template system already performs to locate variables, among other needs. This extra step activates our HTML/Javascript parser, queries it for the context of each variable then applies its escaping rules to compute the proper escaping functions to use for each variable. Depending on the template system, this step may be performed only the first time a template is used or for each web response in which case some limitations may be lifted.

A simple mechanism is provided for the developer to indicate that some variables are safe and should not be escaped. This is used for variables that are either escaped through other means in source code or contain trusted markup that should be emitted intact.

Current Status

Auto-Escape has been released with the C++ Google Ctemplate for a while now and it continues to develop there. You can read more about it in the Guide to using Auto-Escape. We also implemented Auto-Escape for the ClearSilver template system and expect it to be released in the near future. Lastly, we are in the process of integrating it into other template systems developed at Google for Java and Python and are interested in working with a few other open source template systems that may benefit from this logic. Our HTML/Javascript parser is already available with the Google Ctemplate distribution and is expected to be released as a stand-alone open source project very soon.

Co-developers: Filipe Almeida and Mugdha Bendre

Yesterday, a researcher publicly reported some concerns with Google Docs. At Google, we treat the privacy and integrity of our users’ data with the highest priority. We quickly investigated, and we believe that these concerns do not pose a significant security risk to our users. If you want the details, read on…

The first concern that the researcher raised is that an image embedded in a document is not deleted when a document is deleted. Images are maintained because removing them would break image references in users’ other Google documents and external blogs. In addition, image URLs are known only to users who have at some point had access to the document the image is embedded in, and could therefore have saved the image anyway (which is fully expected). You can always contact support to purge images from your account.

The second concern that the researcher raised is that viewers may be able to see revisions of drawings that are included in a document, using the new “Insert Drawing” feature. The ability for document collaborators to view revision history is a feature built into Docs. The ability to view past versions of the drawings is limited to authorized persons who have been given explicit access to the document with the embedded drawing. We may consider explicitly preventing viewers from accessing drawing revisions. For now, if document owners decide they don’t want viewers to have access to their revisions, they can simply make a new copy of the document (from the File menu) and share that new version. The revision history of both the document and all embedded drawings is removed in copies of documents.

The final concern that the researcher raised is that users removed from documents can, in a specific case, regain access to them. The specific case is related to the use of a feature which allows document invitations to be forwarded to more than one person. That feature was provided in response to user requests for “invitation forwarding” and sharing documents with email lists. Invitations sent using this feature contain a special key on the document link. This feature can be disabled at any time to expire previously distributed invitations which contain that special key. To do this, simply disable this feature by unchecking it (in documents and presentations, it’s called “invitations may be used by anyone” and in spreadsheets it’s “editors can share this item”).

We have begun adding more documentation in the Help Center here and here to describe in more detail the functions related to each concern. We are also exploring alternative design options that might further address the concerns.
We’d like to thank the researcher for sharing his concerns with us. We always welcome your feedback on our products, and thank you for your continued support.

[Update 3/28/09: I failed to mention the researcher's name in the original post. His name is Ade Barkah]

Posted by: Jonathan Rochelle, Product Manager, Google Docs

We recently posted some handy tips for webmasters and web developers on how to help make their sites look great in Google Chrome.

If you work on web sites, you’ll want to take a look at the post and give your site a run through with Google Chrome. If you’re interested in more information, check out our support resources for webmasters or the Google Chrome webmaster forum.

We’re constantly working to improve website compatibility, but we’d love your help! If you run across compatibility bugs while testing your site in Google Chrome, please let us know.

Posted by Glenn Wilson, Product Manager

It’s easy to create drawings using lines, free hand scribbles, text labels and a large choice of shapes that you can move, resize, rotate and adjust. Group, order, align and distribute and other features are available when you select objects you’ve drawn. You can also customize a range of shape properties, from line widths to fill color, and from arrowheads to font size, and much more. If you change your mind, there is undo and redo. You can collaborate with a friend or colleague on a drawing, or work alone, just as you can in Google Docs today.

The team and technology behind Insert Drawing originally came from the startup Tonic Systems, which Google acquired in 2007. The drawing feature that we’ve built relies heavily on a relatively new capability in browsers: the ability to render vector graphics. We use the SVG (scalable vector graphics) standard to accomplish this in most browsers and VML (vector markup language) where SVG is not available. Only recently has the performance and ubiquity of such technology enabled us to deliver what we hope is a delightful feature. As browsers continue to improve, we can deliver more and more useful cloud-based functionality.

As with any new feature, we’ll be adding new capabilities over time. But even though we have our own to-do list, we’d love to hear about how you think we could improve drawings. You’ll find Drawing within the Insert menu, so try it out and tell us what you think in our Help Forum.

Posted by: Tony Glenning, Drawings Team Lead

Guest post by Tom Saxton, Idle Loop Software Design

Greg helped me get started by pointing out some online resources. I started with the Objective-C library’s overview slideshow. Then I read the Objective-C client introduction, which explains how to get the Google Data APIs library into an iPhone Xcode project. Finally, I downloaded the library sources.

There’s a sample app that you’ll get with the sources that shows how to talk to Google Docs. The file of interest is DocsSampleWindowController. Start by looking at the two methods “uploadFileAtPath:” and “saveSelectedDocumentToPath:”, as those demonstrate how to upload and download files, respectively.

The code is part of a Mac OS X Cocoa app, so it has some Mac-specific code intermingled with the GData code. To bring it into an iPhone project, I trimmed out the Mac user interface stuff, and defined a class and a protocol to create code that should work from any Mac or iPhone application.

The library requires several steps to upload or download a file. First, you create a service object that encodes the user agent that identifies your application, along with the username and password for the account you want to access. Then use that object to request a document list feed, which is the list of documents in the user’s account.

Retrieving the document list feed both validates the account credentials and captures information you’ll need to either upload or download files. The feed contains the URL for downloading each document. To download, you can use any http call such as NSURLConnection or the library’s GDataHTTPFetcher. The feed also has the URL for uploading new document entries.

The networking operations are asynchronous, so my encapsulating object has methods for starting an upload or download, then uses an Objective-C protocol to inform the controlling object of the progress and status at completion.

I’ve been calling these document objects files, but Google Docs isn’t a file system. It’s much more like a web publishing system: a collection of objects with associated metadata including title, creation and modification dates, and so on.

The first difference from a file system that I encountered is that you can have multiple different files with the same name. So, if you just upload a new version of a file the same way you uploaded it the first time, you’ll get a second document with that same name. To avoid that, search for the document entry with the title that you want to upload to. You can then request an update operation instead of an insert.

The second issue I discovered is that much like when you post to a blog, what you upload can get transformed to match the type of document that is holding the data. When you download the same object, you get something different than what you uploaded. For example, I uploaded a plain text document (specified by MIME type “text/plain”), but when I downloaded that same object I found the text wrapped in a bunch of HTML that makes it display well on the Google Docs web page. Our app’s files are UTF-8 XML files created by NSKeyedArchiver. Google Docs fails if you try to specify a MIME type of “text/xml” and totally mangles the document contents if you specify “text/plain”. That is not a big surprise because there’s not currently a way to specify that the text is encoded UTF-8, and the content gets stuffed into an XML file for the journey to the server.

I solved this issue by converting my files into a plain ASCII encoding, wrapping that in HTML which explains that the file our users see in the Google Docs web page is a Grocophile data file and isn’t user editable, and uploading that as “text/html”. When I download this file, the HTML does pick up a bunch of Google additions, but it’s a simple matter to scan the file to find my encoded document contents.

Different apps will have different needs for storing their documents. If your app can store and retrieve its data in text, HTML or a spreadsheet, then Google Docs will work well for you. Grocophile’s data is basically a relational database with a series of tables and joins keyed off of UUIDs. I could represent the data in text, but it would be fragile and not appropriate for end-user editing. Even though our data won’t be editable within Google Docs, there’s still plenty of value in being able to back up, restore and merge data sets from Grocophile.

To help out other Mac and iPhone developers, I’ve published my code for using the library in an iPhone application as an open source project. If you have any questions, or suggestions for improvement, please contact me at idleloop.com.

Posted by: Radu Cornea, Software Engineer and Kevin Godzilla Lim, Technical Writer

As you might have read on the Official Google Blog today, Google is launching Google Services for Websites, a new program that lets partners offer Google services — including Custom Search, Site Search, Webmaster Tools, and AdSense — to their users.

Partners, such as hosting providers and blogging platforms, can integrate these services into their own management consoles, making the services easily accessible to their users. Google Services for Websites allows partners to create Google accounts, submit Sitemaps to Webmaster Tools, configure Custom Search, and provision new AdSense accounts on behalf of customers. Additionally, partners are eligible for referral fees for certain services.

Once Google Services for Websites has been integrated into the control panel, users can configure their Google services in minutes. These services can help increase website traffic, provide site search, and monetize website content. In fact, a number of web hosting providers have already integrated these services into their offerings.

Furthermore, all of these services are designed to complement and enhance one another. For example, Sitemaps submitted to Webmaster Tools not only improve the discoverability of websites on Google search, but also improve coverage and freshness in the Custom Search index. AdSense accounts can also be associated with search, which lets website owners earn revenues from relevant ads displayed alongside search results.

To learn more about integrating Google Services for Websites with your services, read the Google Services for Websites program overview.

I’m Canadian. And although I’ve lived and worked here in the U.S. quite some time now, the Canadian spellings of certain words still often slip into my documents. Favourite, colour, neighbour, centre, etc. — you get the idea. This week, we’ve added a new find and replace toolbar (for documents) which will make it easier for me to catch those Canadian spellings when I’m writing for an American audience.

If you want to locate a word or phrase in your document, it’s as easy as choosing “Find & Replace” in the “Edit” menu, or hitting Ctrl+F.

Then type the text you want to find, and click Find Next (or press Ctrl+G). If it appears more than once in your document, you can click Find Next again to select the next occurrence.

If you want to change some or all of the occurrences in your document, just type the replacement text in the second box. Click the Replace button to change a selected occurrence to the replacement text, or click Replace All to change all the occurrences in your document in one shot.

Find and Replace also supports additional options for controlling the search, which you can see by clicking the arrow next to the search box. Options such as case-sensitive matching and regular expressions. Find out more about this feature in this help center article.

Pretty useful tool, eh?

Posted by: Vivian Leung, Product Marketing Manager (and proud Canuck)

Among the GrandCentral features that we have carried over to Google Voice, is the ability to tag a caller as spam. This means that future calls from that number will not ring your phones, will not be in your messages when you check voicemails from your phone, but will end up in a Spam folder that you can check whenever you feel like it, similar to your Gmail spam filter. Tagging a caller as spam only affects your account and is not shared with other users.

One of the lesser known features of the Phone Spam filter is that we also collect numbers from reported (and confirmed) Phone spammers to block them for the benefit of all our users (we call it Craig’s list internally since Craig came up with that idea). These are not individual pranksters reported by individual users, but automated dialers that call thousands of numbers every day.

Phone Spam is something most of us wish we had never experienced (those of you who have not yet received your “second notice that the factory warranty on your vehicle is expiring”, count yourself lucky), but it is unfortunately a growing trend.

The Phone Spam list has also carried over to Google Voice and data shows its growing usefulness: we are blocking tens of thousands of calls on a daily basis, and that number is growing daily. Although we can’t promise you won’t get reminded about your factory warranty, we’ll do what we can to help you avoid it…

Posted by Vincent Paquet

Gadgets allow you to easily add dynamic content to your Google Sites web pages, and are available from the “Insert” menu when you are editing a page. Some of the more basic gadgets, like the “Recent posts” or “Recent files” gadgets give you a quick view from a central location of content being updated on other pages. Gadgets can be tools like a clock or to-do list, informative like recent news headlines or stock quotes, or even fun games or a virtual aquarium. Clicking on the “More…” option in the “Insert” menu brings up a directory of gadgets that you can check out and try on your pages. If you want to get started building your own gadgets, check out the Gadget Developers Guide.

We have also made some improvements to the way gadgets work for users of the Premier Edition of Google Apps:

• Gadgets can be made to be private to a specific domain.
• Gadgets will match the security and encryption level of the site.
• There is a new start page template that lets each user personalize the gadgets that are display specifically for them.

Please check out our post on the Google Enterprise blog for more information on these updates.

Posted by Jeffrey Harris, Associate Product Manager