From 89af5b6a4c3992ea35066e763f8cc44afd4cfacc Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Sat, 15 Feb 2025 19:39:09 +0800 Subject: [PATCH 1/3] docs: add acap 1.0 and 2.0 glossary of terms --- docs/pages/changelog.mdx | 24 ++++++++++++++++++++---- docs/pages/index.mdx | 4 +++- docs/pages/security.mdx | 2 +- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx index 7295fc83..e86dfce8 100644 --- a/docs/pages/changelog.mdx +++ b/docs/pages/changelog.mdx @@ -42,7 +42,19 @@ export function FAQBoxError({ title, children, open = false }) { # ACAP Change Log -This page contains summary of features and enhancements on major ACAP versions and their programming-development timelines. +This page summarizes the features and enhancements of major ACAP versions, extensions, and their programming-development timelines. + +### Glossary of Terms + +- [ACAP 1.0](#version-1-acap-10) serves as the base model of the Agro-Climatic Advisory Portal (ACAP). Initially made for the Bicol region, it provides dynamic features setup support for other regional provinces. It served as the active ACAP version until ACAP 2.0. +- [ACAP 2.0](#version-2-acap-20) and beyond is an extension of the Agro-Climatic Advisory Portal (ACAP), a Climate Information System, expanding, enhancing, and building upon the initial [ACAP 1.0](#version-1-acap-10) version. + > ACAP 2.0 builds upon ACAP 1.0 rather than replacing it. It enhances and expands the original system while maintaining its core foundation. + + +As of July 2024, **ACAP 2.0,** containing new features and upgrades, is the latest ACAP version and is now collectively referred to simply as **"ACAP"** + + +
@@ -62,12 +74,12 @@ Version 2.0 and later versions may have new requirements that will thrive on new
-1. **Flexible Firestore Database Use:** Version 2.0+ adopted a more flexible approach for handling data management, facilitating faster feature development by performing _WRITE operations to the database directly from the web front end_ coupled with more _lenient Firestore database Rules_. However, this shift also introduced the potential for data to enter the database without the usual front-end controls through the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). While this was not an issue in Version 1.0, it emerged as part of the effort to enhance development speed and feature delivery starting with Version 2.0. +1. **Flexible Firestore Database Use:** ACAP version 2.0+ adopted a more flexible approach for handling data management, facilitating faster feature development by performing _WRITE operations to the database directly from the web front end_ coupled with more _lenient Firestore database Rules_. However, this shift also introduced the potential for data to enter the database without the usual front-end controls through the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). While this was not an issue in [Version 1.0](#version-1-acap-10), it emerged as part of the effort to enhance development speed and feature delivery starting with Version 2.0. 2. **Cross-Site Scripting (XSS) Vulnerability in Crop Recommendations:** Related to item 1, the new process for editing WYSIWYG HTML-form crop recommendations input may allow unsafe or inaccurate content due to limited validation through the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). Risks associated with this were recognized early in the process, but the focus on delivering core features led to a delay in integrating security measures. - A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 crop recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **version 2.0** due to new development approaches and priorities. + A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 crop recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **[ACAP 2.0](#version-2-acap-20)** due to new development approaches and priorities. For ACAP Maintainers or developers interested in exploring the content, please contact the current active ACAP Maintainer(s) for an invitation to access the video. Engaging with this material can provide insights into the security considerations that have been acknowledged and inform future enhancements to the system's security measures. @@ -111,7 +123,7 @@ Version 2.0 and later versions may have new requirements that will thrive on new - Removal of the rainfall condition trigger 2. Public/admin 10-day recommendations and bulletin PDF generation - Removal of the single-date selection trigger within the active PAGASA 10-day date range for determining the crop stage/s -3. Deprecation of the **uploaders** group of Node Package Manager (NPM) scripts in favor of cropping calendar/recommendations Excel file upload through the UI +3. Deprecation of the data uploaders group of Node Package Manager **(NPM) scripts** [[1]](/post-installation/cropping-calendar/calendar-v1/), [[2]](/post-installation/recommendations/recommendations-v1/) in favor of cropping calendar/recommendations Excel **file upload through the UI** [[3]](/post-installation/cropping-calendar/calendar-v2/), [[4]](/post-installation/recommendations/recommendations-v2/) 4. Allow creating seasonal bulletin PDFs with more than one (1) page. 5. Text blast recipients by province/municipality instead of individual selection @@ -207,4 +219,8 @@ _June 2023 onwards_
+ +All ACAP 1.0 features, updates, and follow-up fixes were carried over and inherited by [ACAP 2.0](#version-2-acap-20). + + diff --git a/docs/pages/index.mdx b/docs/pages/index.mdx index 6326e0ad..36bf9645 100644 --- a/docs/pages/index.mdx +++ b/docs/pages/index.mdx @@ -2,7 +2,9 @@ import { Callout } from 'nextra/components' # Welcome to ACAP Tutorials 🏡 -This site offers a more organized and structured approach to documenting the software development approaches for the Agro-Climatic Advisory Portal - Bicol (ACAP Bicol), initially released as [ACAP 1.0](/changelog/#version-1-acap-10) at the end of 2022 and now enhanced to version [2.0](https://acap-bicol.github.io/) as of 2024. +### Agro-Climatic Advisory Portal (ACAP), a Climate Information System + +This site offers a more organized and structured approach to documenting the software development approaches for the Agro-Climatic Advisory Portal (ACAP), initially released as [ACAP 1.0](/changelog/#version-1-acap-10) (ACAP Bicol) at the end of 2022 and enhanced to version [2.0](https://acap-bicol.github.io/) in 2024. > The Agro-Climatic Advisory Portal (ACAP), a Climate Information Services web application (CIS) co-developed by the [University of the Philippines Los Banos Foundation, Inc.](https://uplbfi.org/) (UPLBFI) and the [Alliance of Bioversity International and CIAT (Alliance)](https://alliancebioversityciat.org/) with the [Department of Agriculture (DA)](https://www.da.gov.ph/) and the [Regional Field Office 5 (RFO 5)](https://bicol.da.gov.ph/) is a digital platform that serves as a centralized hub for the development of Climate Information Services (CIS) in the Bicol Region. It contains relevant weather and climate information to use with tailored advisories and crop recommendations. diff --git a/docs/pages/security.mdx b/docs/pages/security.mdx index f2c5c3ef..de6ec73e 100644 --- a/docs/pages/security.mdx +++ b/docs/pages/security.mdx @@ -21,7 +21,7 @@ Please ensure continued compliance with these security standards when extending - A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 crop recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **version 2.0** due to new development approaches and priorities. + A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 crop recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **[ACAP 2.0](/changelog/#version-2-acap-20)** due to new development approaches and priorities. For ACAP Maintainers or developers interested in exploring the content, please contact the current active ACAP Maintainer(s) for an invitation to access the video. Engaging with this material can provide insights into the security considerations that have been acknowledged and inform future enhancements to the system's security measures. From c80c946d4c1e80bb4f10c75a489492f5f6315aed Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Sat, 15 Feb 2025 21:07:07 +0800 Subject: [PATCH 2/3] docs: display file references to firestore/storage rules * docs: display warning about unresolved xss concerns --- docs/pages/changelog.mdx | 2 +- docs/pages/security.mdx | 46 +++++++++++++++++++++++++++++++++------- 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx index e86dfce8..e737b7a3 100644 --- a/docs/pages/changelog.mdx +++ b/docs/pages/changelog.mdx @@ -79,7 +79,7 @@ Version 2.0 and later versions may have new requirements that will thrive on new - A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 crop recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **[ACAP 2.0](#version-2-acap-20)** due to new development approaches and priorities. + A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 Crop Recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **[ACAP 2.0](#version-2-acap-20)** due to new development approaches and priorities. For ACAP Maintainers or developers interested in exploring the content, please contact the current active ACAP Maintainer(s) for an invitation to access the video. Engaging with this material can provide insights into the security considerations that have been acknowledged and inform future enhancements to the system's security measures. diff --git a/docs/pages/security.mdx b/docs/pages/security.mdx index de6ec73e..a4896e8b 100644 --- a/docs/pages/security.mdx +++ b/docs/pages/security.mdx @@ -4,9 +4,9 @@ import AnchorModal from '@/components/AnchorModal' # Security Guidelines -ACAP adheres to strict security practices and development patterns defined by its technology stack "_while considering the limited options of its (default) standard-pricing tier cloud services_" starting from its initial [1.0](/changelog/#version-1-acap-10) version. +ACAP adheres to strict security practices and development patterns defined by its technology stack "_while considering compatible options with its limited (default) upgradable standard-pricing cloud services_" starting from its initial [1.0](/changelog/#version-1-acap-10) version. -Please ensure continued compliance with these security standards when extending ACAP to add or enhance new features while actively considering its currently available plans, options, and **features requirements** at hand. +Please ensure continued compliance with these security standards when extending ACAP to add or enhance new features while actively considering its currently available plans, options, and **feature requirements** at hand. **NOTE:** Further enhancements and feature updates to the initial [**ACAP 1.0**](/changelog/#version-1-acap-10) version may introduce new requirements to address additional use cases. Please ensure that security measures meet the expectations outlined in these new requirements. @@ -21,13 +21,13 @@ Please ensure continued compliance with these security standards when extending - A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 crop recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **[ACAP 2.0](/changelog/#version-2-acap-20)** due to new development approaches and priorities. + A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 Crop Recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **[ACAP 2.0](/changelog/#version-2-acap-20)** due to new development approaches and priorities. For ACAP Maintainers or developers interested in exploring the content, please contact the current active ACAP Maintainer(s) for an invitation to access the video. Engaging with this material can provide insights into the security considerations that have been acknowledged and inform future enhancements to the system's security measures. - (b) Signed-in users cannot **CREATE** new Firestore collections and documents - - (c) Public users without sign-in authentication cannot **VIEW** sensitive information such as phonebook contacts and email information + - (c) Public users without sign-in authentication cannot **VIEW** sensitive information such as phonebook contacts and email information, by ensuring their Firestore collections are using the correct role/access-based Firestore Security Rules. 2. Ensure that all mutative **"WRITE"** operations in the Firestore database occur only through authenticated HTTPS requests in the backend (NodeJS) REST APIs. _(see also [Server](/directories/server) for more information)._ - (a) ACAP 1.0's Firestore Rules strictly prohibits **Database #1.a** and **Database #1.b** to enforce this. @@ -38,11 +38,29 @@ Please ensure continued compliance with these security standards when extending 4. Firestore database security relies on properly tested Firestore Rules to ensure security, especially if its rules do not disable all **VIEW/CREATE/EDIT/DELETE** operations. - Please ensure that "new" and robust Firestore Rules are created and thoroughly tested, in case new database components or requirements need to be added to the ACAP 1.0 Firestore database. +### Firestore Database Rules + +ACAP's [Firestore Security Rules](https://firebase.google.com/docs/firestore/security/get-started), which enforces strict role/access-based security to the Firestore database, should be copied to the Firebase project's Firestore Rules tab in the [Firebase Console](https://console.firebase.google.com/u/0/?pli=1). It is located in this file for reference: + +```text copy +/client/src/firestore.rules +``` + + +[ACAP 2.0](/changelog/#version-2-acap-20) allowed "editing" the crop recommendations from the UI through insecure, unvalidated Firestore Security Rules, which poses **Cross-Site Scripting (XSS)** concerns since this also allows editing the WYSIWYG form crop recommendations from Postman (or other clients). This update to the **ACAP in its 2.0** version does not align with the secure practices mentioned under the [Database](/security/#database) section. + +Detailed information about this known issue is available at the parent **acap-v2** repository's GitHub Issues at [[1]](https://github.com/amia-cis/acap-v2/issues/34) and [[2]](https://github.com/amia-cis/acap-v2/issues/57) or in the **Firebase Storage Announcements 2024** - [Are there security concerns I should be aware of?](/announcements/firebase-storage-2024#security-considerations) Section for information and reference. + + ## Sensitive data management -1. Ensure that sensitive data and environment variables are never statically generated and deployed to the GitHub Pages or Firebase Hosting static hosting websites. +1. Ensure sensitive data and environment variables are never statically generated and deployed to the GitHub Pages or Firebase Hosting static hosting websites. -2. Sensitive data, secured with Firebase Authentication, Firebase Custom Claims (**User/Admin Accounts #1, #2**) and Firestore Rules (**Database #1.c**) is dynamically fetched from the Firestore Database using the Firestore Web APIs or the secure (NodeJS) REST APIs. +2. Sensitive data, secured with Firebase Authentication, Firebase Custom Claims (**User/Admin Accounts #1, #2**), and Firestore Rules (**Database #1.c**), is dynamically fetched from the Firestore Database using the Firestore Web APIs or the secure (NodeJS) REST APIs. + + + Ensure that Firestore collections containing sensitive data (e.g., `"/phonebook/{docId}"`) are using appropriate role/access-based access settings defined in the **Firestore Security Rules**. This comprises a combination of **Firebase Authentication** and **Firebase Custom Claims**. + ## File Storage @@ -51,15 +69,27 @@ Manually test and ensure, using the Firebase Storage Web APIs, that: 1. Public and signed-in users can only "READ" or download the PDF bulletin files. 2. Public and signed-in users cannot UPLOAD or DELETE files. +### Firebase Storage Security Rules + +ACAP's [Firebase Storage Security Rules](https://firebase.google.com/docs/storage/security/) enforce strict security by allowing only authenticated requests in the NodeJS backend to upload (PDF) files to the Firebase Cloud Storage while allowing public data (PDF, images) to download from the frontend. It should be copied to the Firebase project's Storage Rules tab in the [Firebase Console](https://console.firebase.google.com/u/0/?pli=1). It is located in this file for reference: + +```text copy +/client/src/storage.rules +``` + ## Codebase -- Ensure that forked **climate-services-webportal-v1** (ACAP 1.0) or **acap-v2** (ACAP 2.0) monorepo code base or copies remain PRIVATE in GitHub and other public platforms. +- Ensure that forked **climate-services-webportal-v1** ([ACAP 1.0](/changelog/#version-1-acap-10)) or **acap-v2** ([ACAP 2.0](/changelog/#version-2-acap-20)) monorepo code base or copies remain PRIVATE in GitHub and other public platforms. ## User/Admin Accounts 1. Ensure that Admin accounts are created by the superadmin in the NodeJS backend using [Firebase Authentication](https://firebase.google.com/docs/auth/) with [Firebase Custom Claims](https://firebase.google.com/docs/auth/admin/custom-claims), leveraging the [Firebase Admin SDK](https://firebase.google.com/docs/admin/setup) to ensure maximum security. -2. More information about ACAP 1.0's Security requirements are available in its Software Requirements Specifications document available in this [link](https://github.com/amia-cis/acap-v2/blob/dev/docs/acap_1.0_software_requirements_specification_v4.0.pdf) (accessible only for developers with access). +2. More information about ACAP's Security requirements is available in its Software Requirements Specifications document in this [link](https://github.com/amia-cis/acap-v2/blob/dev/docs/acap_1.0_software_requirements_specification_v4.0.pdf) (accessible only for developers with access). + + + These Security requirements carry over and apply to **ACAP 2.0**, even if the Software documents were written for **ACAP 1.0**. Since no new Software documents are available for the updates made in ACAP 2.0, you may consult the new lead programmer responsible for implementing ACAP 2.0 about detailed upgrades specifics made to the system. + ## Related From 94c66dc8422eb07ade8e1be44b765ce342e44f8c Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Sat, 15 Feb 2025 21:32:03 +0800 Subject: [PATCH 3/3] docs: update xss warning note --- docs/pages/security.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/pages/security.mdx b/docs/pages/security.mdx index a4896e8b..479ea07c 100644 --- a/docs/pages/security.mdx +++ b/docs/pages/security.mdx @@ -47,9 +47,9 @@ ACAP's [Firestore Security Rules](https://firebase.google.com/docs/firestore/sec ``` -[ACAP 2.0](/changelog/#version-2-acap-20) allowed "editing" the crop recommendations from the UI through insecure, unvalidated Firestore Security Rules, which poses **Cross-Site Scripting (XSS)** concerns since this also allows editing the WYSIWYG form crop recommendations from Postman (or other clients). This update to the **ACAP in its 2.0** version does not align with the secure practices mentioned under the [Database](/security/#database) section. +[ACAP 2.0](/changelog/#version-2-acap-20) allowed users to edit crop recommendations, a new feature introduced in **version 2.0** through weak Firestore Security Rules, making it vulnerable to **Cross-Site Scripting (XSS)**. This also lets unauthorized clients (e.g., Postman) modify WYSIWYG form data without protection. These security flaws contradict the best practices outlined in the [Database](#database) section. -Detailed information about this known issue is available at the parent **acap-v2** repository's GitHub Issues at [[1]](https://github.com/amia-cis/acap-v2/issues/34) and [[2]](https://github.com/amia-cis/acap-v2/issues/57) or in the **Firebase Storage Announcements 2024** - [Are there security concerns I should be aware of?](/announcements/firebase-storage-2024#security-considerations) Section for information and reference. +For more details, refer to GitHub Issues in the parent **acap-v2 repository** ([[1]](https://github.com/amia-cis/acap-v2/issues/34), [[2]](https://github.com/amia-cis/acap-v2/issues/57) or check the **Firebase Storage Announcements 2024** under the [Are there security concerns I should be aware of?](/announcements/firebase-storage-2024#security-considerations) section for more information and reference. ## Sensitive data management