It's always a pleasure when Arthur the online security guy at York drops by for a cup of tea. Today he pointed out, kind of him to bother really, that....
When you run an AppsScript in a Google Spreadsheet, it is run by the ActiveUser i.e the person that is logged in and working with the spreadsheet. In order to run the AppsScript, which edits the spreadsheet, you need Edit permission on that spreadsheet.
Stay with me.
Because you've got Edit permission on the spreadsheet, the container for the AppsScript, you've also got Edit permission on the AppsScript. That means, that you ( the ActiveUser ) can edit the script to say... get a copy of all my Documents ( assignments etc ) and upload them to a homework cheating site over here... and do it from your actual email address. It could send rude messages from you, the ActiveUser.
AAAAAARGHHHHH!
It's a massive security hole.
You could lock down the spreadsheet so that users can't edit the cells, and give them View access, but if you do that, then any menus ( which load the interface that makes changes ) don't load and so you don't get to be able to add data by proxy as it were.
If this route, of selectively locking bits of the file was almost possible, my old method of using a Task Queue that ran once a minute would mean that all the permissions, rather than being about the ActiveUser, would be tied to what's called the EffectiveUser ( the person who wrote the code and started the triggers that calls the code ).
Hang on, even I'm losing it now.
At this point, I thought... hang on... I can put MOST of the code into a standalone script library. In this way the ActiveUser would only be able to edit the code that displays the user interface. Oh. Still not right, because at that point naughty hacker could add anything they want.
And you see there is the problem. In order to do anything with this spreadsheet we're both looking at, you pretty much have to give people access to Read/Write all spreadsheets. Regardless of how innocuous the thing you are trying to do, the ActiveUser will be presented with an authentication dialog that looks like this...
And it says, "Only authorize the script if you truly trust the author".... Truly trust? Truly? Madly? Deeply? I don't even truly trust myself... how can I make a decision on that?
So basically, my dreams of an organisation creating and sharing solutions only work, if by sharing you mean...
You can take a copy of this data for yourself, and run the scripts on what is now your data
... what this doesn't mean is that...
We can work on the same data, using shared code and do anything useful with it.
All I wanted, he sighed wistfully, was to be able to collaboratively fill in a spreadsheet, using a slightly better interface than the formula bar but in order to do that the ActiveUser ( for those still paying attention, that's YOU! ) have to click a dialog that says you truly trust me, with all your data, email, calendars etc.
It's not going to happen is it?
In this case, it would be easily fixable if I could make the Scripts in a spreadsheet have the permission for you to run ( and maybe even read ) them but not to be able edit them. Or maybe I could say that I only want to edit THIS spreadsheet, and not have write access to ALL YOUR SPREADSHEETS!
As ever, permissions come to bite us in the arse. Ouch.
p.s I wonder what the hell Google are thinking with regards to all the AppsScripts/WebApps like these that are appearing in Chrome AppStore, which seem to also have a "truly trust" dialog in them, and none of which I have yet dared to run. Would you?
p.p.s Arthur's "solution" is to write the whole thing as a standalone web app, but, from a philosophical point of view I wanted to create solutions that other people could take and evolve to suit their needs. And also, writing a web app is quite hard.
When you run an AppsScript in a Google Spreadsheet, it is run by the ActiveUser i.e the person that is logged in and working with the spreadsheet. In order to run the AppsScript, which edits the spreadsheet, you need Edit permission on that spreadsheet.
Stay with me.
Because you've got Edit permission on the spreadsheet, the container for the AppsScript, you've also got Edit permission on the AppsScript. That means, that you ( the ActiveUser ) can edit the script to say... get a copy of all my Documents ( assignments etc ) and upload them to a homework cheating site over here... and do it from your actual email address. It could send rude messages from you, the ActiveUser.
AAAAAARGHHHHH!
It's a massive security hole.
You could lock down the spreadsheet so that users can't edit the cells, and give them View access, but if you do that, then any menus ( which load the interface that makes changes ) don't load and so you don't get to be able to add data by proxy as it were.
If this route, of selectively locking bits of the file was almost possible, my old method of using a Task Queue that ran once a minute would mean that all the permissions, rather than being about the ActiveUser, would be tied to what's called the EffectiveUser ( the person who wrote the code and started the triggers that calls the code ).
Hang on, even I'm losing it now.
At this point, I thought... hang on... I can put MOST of the code into a standalone script library. In this way the ActiveUser would only be able to edit the code that displays the user interface. Oh. Still not right, because at that point naughty hacker could add anything they want.
And you see there is the problem. In order to do anything with this spreadsheet we're both looking at, you pretty much have to give people access to Read/Write all spreadsheets. Regardless of how innocuous the thing you are trying to do, the ActiveUser will be presented with an authentication dialog that looks like this...
And it says, "Only authorize the script if you truly trust the author".... Truly trust? Truly? Madly? Deeply? I don't even truly trust myself... how can I make a decision on that?
So basically, my dreams of an organisation creating and sharing solutions only work, if by sharing you mean...
You can take a copy of this data for yourself, and run the scripts on what is now your data
... what this doesn't mean is that...
We can work on the same data, using shared code and do anything useful with it.
All I wanted, he sighed wistfully, was to be able to collaboratively fill in a spreadsheet, using a slightly better interface than the formula bar but in order to do that the ActiveUser ( for those still paying attention, that's YOU! ) have to click a dialog that says you truly trust me, with all your data, email, calendars etc.
It's not going to happen is it?
In this case, it would be easily fixable if I could make the Scripts in a spreadsheet have the permission for you to run ( and maybe even read ) them but not to be able edit them. Or maybe I could say that I only want to edit THIS spreadsheet, and not have write access to ALL YOUR SPREADSHEETS!
As ever, permissions come to bite us in the arse. Ouch.
p.s I wonder what the hell Google are thinking with regards to all the AppsScripts/WebApps like these that are appearing in Chrome AppStore, which seem to also have a "truly trust" dialog in them, and none of which I have yet dared to run. Would you?
p.p.s Arthur's "solution" is to write the whole thing as a standalone web app, but, from a philosophical point of view I wanted to create solutions that other people could take and evolve to suit their needs. And also, writing a web app is quite hard.
"Because you've got Edit permission on the spreadsheet, the container for the AppsScript, you've also got Edit permission on the AppsScript. That means, that you ( the ActiveUser ) can edit the script to say... get a copy of all my Documents ( assignments etc ) and upload them to a homework cheating site over here... and do it from your actual email address. It could send rude messages from you, the ActiveUser."
ReplyDeleteNot entirely true. Yes if you gave me edit permission to a spreadsheet then I can also edit the script. When the script is run by me I become the active user so I'll see a prompt to authorise connection to, for example, access my gmail. If I edit the script so that the next time you ran it, it dumped all your email somewhere else then when you run it again it'll ask you to re-authenticate.
Webapps are a different matter and you are right to be cautious
Martin
Yes, it means you can fiddle with the script, and the NEXT PERSON has to authenticate again.
ReplyDeleteAnd whilst the likelihood of this is very low, these are students... :-) It's going to happen.
It makes me think that NO AppsScript app is anything anyone should be running, unless Arthur has carefully reviewed and approved the code.
I shared some additional thoughts on Google+ about this thought worth sharing here:
ReplyDelete"This issue stems from changes Google made in June in the way permission sharing is handled in Google Spreadsheets. Previously when you added an editor to a spreadsheet the script was by default locked with view only unless the owner also separately gave permission. Now Google use container inheritance[1] so an editor of a spreadsheet also automatically becomes editor of the script, furthermore there is no way to make someone an editor of a spreadsheet and viewer of the script."
[1] https://developers.google.com/apps-script/collaborating#sharingProject
Have you opened this as a ticket on the issue tracker?
I really like your blog and have one with similar information. If you have time check it out.
ReplyDeletesecurity systems
Thanks a lot for this great ideas and info..
ReplyDeletePortable security Cameras
This comment has been removed by the author.
ReplyDeleteWhile the admin of the web site is working, no question soon it will likely be famous, due to its feature blogs.
ReplyDeletebest home security