From 666402c2a9dbc5d20014ef22305653bedb7e664c Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Fri, 7 Feb 2025 21:18:37 +0800 Subject: [PATCH 1/2] docs: add more info about contact point regarding security concerns, #77 --- docs/pages/announcements/firebase-storage-2024.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/pages/announcements/firebase-storage-2024.mdx b/docs/pages/announcements/firebase-storage-2024.mdx index bff139b0..086edd85 100644 --- a/docs/pages/announcements/firebase-storage-2024.mdx +++ b/docs/pages/announcements/firebase-storage-2024.mdx @@ -133,7 +133,11 @@ _All Firebase components service usage (including those not used by ACAP) will o
-Yes. Some of the latest core deliverables implemented for ACAP in its [2.0](/changelog/#version-2-acap-20) version **introduced security flaws** not present in the initial ([1.0](/changelog/#version-1-acap-10)) version, which had strictly followed [security guidelines](/security) and adhered to best practices in web development security, effectively preventing these issues. Based on the following criteria, the new security flaws introduced in version 2.0 resulted in a **60% reduction in the established security from version 1.0**. +Yes. Some of the latest core deliverables implemented for ACAP in its [2.0](/changelog/#version-2-acap-20) version [**introduced security flaws**](/changelog#acap-2-security-debts) not present in the initial ([1.0](/changelog/#version-1-acap-10)) version, which had strictly followed [security guidelines](/security) and adhered to best practices in web development security, effectively preventing these issues. Based on the following criteria, the new security flaws introduced in version 2.0 resulted in a **60% reduction in the established security from version 1.0**. + + +> "With ACAP 2.0+, the new main code Maintainer introduced a more flexible Firestore database approach to speed up feature development and make iteration easier. This shift allowed direct Firestore writes from the front end and loosened some security rules, which helped with efficiency but also introduced security risks that weren’t present in version 1.0. The same Maintainer is aware of these trade-offs and is the best point of contact for security improvements, as they have the most insight into the changes and potential fixes." + | Criteria | Purpose | ACAP [1.0](/changelog/#version-1-acap-10) | ACAP [2.0](/changelog/#version-2-acap-20) | | --- | --- | :---: | :---: | From eb8049a564cd98c57b4a5fc5db45945df9375df0 Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Fri, 7 Feb 2025 21:42:44 +0800 Subject: [PATCH 2/2] docs: add more info about contact point regarding security concerns, #77 * chore: mention parent acap gh issues list --- docs/pages/announcements/firebase-storage-2024.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/pages/announcements/firebase-storage-2024.mdx b/docs/pages/announcements/firebase-storage-2024.mdx index 086edd85..2d39e348 100644 --- a/docs/pages/announcements/firebase-storage-2024.mdx +++ b/docs/pages/announcements/firebase-storage-2024.mdx @@ -136,12 +136,12 @@ _All Firebase components service usage (including those not used by ACAP) will o Yes. Some of the latest core deliverables implemented for ACAP in its [2.0](/changelog/#version-2-acap-20) version [**introduced security flaws**](/changelog#acap-2-security-debts) not present in the initial ([1.0](/changelog/#version-1-acap-10)) version, which had strictly followed [security guidelines](/security) and adhered to best practices in web development security, effectively preventing these issues. Based on the following criteria, the new security flaws introduced in version 2.0 resulted in a **60% reduction in the established security from version 1.0**. -> "With ACAP 2.0+, the new main code Maintainer introduced a more flexible Firestore database approach to speed up feature development and make iteration easier. This shift allowed direct Firestore writes from the front end and loosened some security rules, which helped with efficiency but also introduced security risks that weren’t present in version 1.0. The same Maintainer is aware of these trade-offs and is the best point of contact for security improvements, as they have the most insight into the changes and potential fixes." +> "With ACAP 2.0+, the new main code Maintainer introduced a more flexible Firestore database approach to speed up development. While this improved iteration speed, it also loosened security rules, introducing concerns not present in version 1.0. The same Maintainer is aware of these trade-offs and is the best point of contact for security improvements, as they have the most insight into the changes and potential fixes". | Criteria | Purpose | ACAP [1.0](/changelog/#version-1-acap-10) | ACAP [2.0](/changelog/#version-2-acap-20) | | --- | --- | :---: | :---: | -| User authentication | Authorized, allowed, and predictable operations access to resources | ✅ | ✅ | +| User authentication | Authorized, allowed, and predictable operations access to resources | ✅ | ✅ | | Cross-Site Scripting (XSS) Protection | Predictable billing, reliable/authentic website information, user information confidentiality, predictable data manipulation / SMS sending, protection for unvalidated writes that allow tampering with stored data, impacting system reliability, protection for injecting malicious scripts that steal user info or redirect users to phishing sites (and protection for other uncontrolled scenarios that stem from XSS) | ✅ | ❌ | | Cloud storage protection | Authorized, allowed, and predictable operations access to storage, predictable billing | ✅ | ✅ | | Database integrity | Accuracy, consistency, and reliability of data stored in a database and presented to users | ✅ | ❌ | @@ -187,7 +187,7 @@ Before activating a paid Firebase subscription, consider whether unresolved [ACA ``` For more details, see [ACAP Security Technical Debts](/changelog/#acap-2-security-debts). -If these issues with specific information (available at [[1]](https://github.com/amia-cis/acap-v2/issues/57) and [[2]](https://github.com/amia-cis/acap-v2/issues/34)) remain unaddressed, it may be beneficial to consult the lead ACAP programmer responsible for designing and implementing [ACAP 2.0](/changelog/#version-2-acap-20) before activating a paid Firebase subscription. +If these issues with specific information (available at the (private) parent **acap-v2** GitHub Repository Issues list [[1]](https://github.com/amia-cis/acap-v2/issues/57) and [[2]](https://github.com/amia-cis/acap-v2/issues/34)) remain unaddressed, it may be beneficial to consult the new ACAP Maintainer who is also the lead ACAP programmer responsible for designing and implementing [ACAP 2.0](/changelog/#version-2-acap-20) before activating a paid Firebase subscription. Key topics to discuss include: @@ -199,7 +199,7 @@ Key topics to discuss include: - **Review the Firestore security rules** to restrict direct database writes. - **Check for XSS vulnerabilities** in crop recommendations and apply sanitization. - **Monitor database writes** for unstructured or excessive storage. -- **Consult the lead ACAP programmer responsible for implementing the core [version 2.0+](/changelog/#version-2-acap-20)** deliverables for current mitigation strategies and planned fixes. +- **Consult the new ACAP Maintainer who is also the lead ACAP programmer responsible for implementing the core [version 2.0+](/changelog/#version-2-acap-20)** deliverables for current mitigation strategies and planned fixes.