Re: [galaxy-user] [galaxy-dev] input security validation
Sorry for the cross-posting, but I guess that's also interesting to Galaxy users... I've been thinking about input validation too... only a bit more generally, on a server/production basis. Nate, on your production setup[1] (galaxy main), do you use any kind of filter or framework a la modsecurity[2] to prevent security issues on third party tools ? How do you mitigate those security risks ? [1] http://usegalaxy.org/production [2] http://modsecurity.org/ On 2011-06-23 00:27, Jennifer Jackson wrote:
Hi Russell,
Dan Blankenberg is our ChIP-seq expert and will be able to work with you when he returns from vacation.
Thank you for your patience!
Best,
Jen Galaxy team
On 6/20/11 2:22 PM, Russell Bonneville wrote:
Hello all,
I am Russell, a student working with Dr. Victor Jin at the Dept. of Biomedical Informatics, OSU Medical Center. I am developing a Galaxy wrapper for our ChIP-seq peak-calling program BELT (PMID: 21138948), and I have a question about input validation. Does Galaxy filter for malicious field entries (such as XSS attacks) or is this our wrapper’s responsibility (the MACS wrapper appears to not perform any explicit checks)? Thank you for your time.
Sincerely, Russell Bonneville
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Roman Valls wrote:
Sorry for the cross-posting, but I guess that's also interesting to Galaxy users...
I've been thinking about input validation too... only a bit more generally, on a server/production basis. Nate, on your production setup[1] (galaxy main), do you use any kind of filter or framework a la modsecurity[2] to prevent security issues on third party tools ? How do you mitigate those security risks ?
Hi Roman, We don't run modsecurity because we don't run Apache, but tools do perform input validation, and parameters are santized of any shell special characters. In addition, tools only have write access to their own datasets and working directory. --nate
[1] http://usegalaxy.org/production [2] http://modsecurity.org/
On 2011-06-23 00:27, Jennifer Jackson wrote:
Hi Russell,
Dan Blankenberg is our ChIP-seq expert and will be able to work with you when he returns from vacation.
Thank you for your patience!
Best,
Jen Galaxy team
On 6/20/11 2:22 PM, Russell Bonneville wrote:
Hello all,
I am Russell, a student working with Dr. Victor Jin at the Dept. of Biomedical Informatics, OSU Medical Center. I am developing a Galaxy wrapper for our ChIP-seq peak-calling program BELT (PMID: 21138948), and I have a question about input validation. Does Galaxy filter for malicious field entries (such as XSS attacks) or is this our wrapper’s responsibility (the MACS wrapper appears to not perform any explicit checks)? Thank you for your time.
Sincerely, Russell Bonneville
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
participants (2)
-
Nate Coraor
-
Roman Valls