Reproduce and fix security issues found earlier
Initial task: #28 (closed)
-
Register with inappropriate symbols #28 (comment 25145) -
Check and deny using scripts in the text fields somewhere in the subprojects #28 (comment 25146) -
Check that user doesn't have the ability to create a fake email. As an example user had ability to add an email to the Vereign without real sending email from Gmail by using direct VCL API #28 (comment 25235) Ticket #51 -
Check that one user doesn't have an ability to get other user's document by using documentGetDocumentByUUID
method #28 (comment 25236) -
Check and fix method documentCreateDocument
where the some first user can create document by using passportId of some another user documentCreateDocument #28 (comment 25365) -
Check methods "entityAddMember","entityAddMemberOf", "entityRemoveMember","entityRemoveMemberOf". For what reasons they are exists #28 (comment 25366) -
Increase the time which is required to break the pincode #28 (comment 25406) Ticket: #42 (closed) -
Hacker can create some site with app.vereign.com in iframe and get user data, after user enters the pincode #50 (closed) see fix there https://code.vereign.com/code/dashboard/issues/719 -
Hacker can inject malicious iframe to the email and get users credentials (or has the ability to work from user's account) #28 (comment 25405) see fix there https://code.vereign.com/code/dashboard/issues/719 -
Permissions issue in the email, bug: When we send a signing request to somebody, this somebody
should not have access to data which is not shared with him. https://code.vereign.com/code/dashboard/issues/583#note_36742 -
Move VCL library to separate domain like https://vcl.app.vereign.com
Edited by Kalin Canov