ZAP snap needs manual review


#1

We’ve just updated our ZAP snap to stable: https://dashboard.snapcraft.io/snaps/zaproxy/revisions/3/
In order for ZAP to work we’ve had to use ‘classic’ confinement.
This is because ZAP creates config files, ZAP session files and reports that the user generates in the users local directory.
By default ZAP creates config files under ~/.ZAP but the user is free to change this. The user is also asked where other files that ZAP generates (such as reports) should be saved.
ZAP also allows the user to launch local browsers (such as Firefox and Chrome) set up to proxy via ZAP.
Let me know if theres anything else you need to know in order to approve this ZAP snap update.


#2

It isn’t clear to me why your snap requires classic confinement. Keep in mind snaps have their $HOME set to a snap-writable area ($SNAP_USER_DATA, ie, ~/snap/zap/<revision>), as such your snap should work ok, it will just write to ~/snap/zap/<revision>/.ZAP instead of ~/.ZAP). You might need to adjust your application to look at $HOME instead of using getpwent() though. snapd also provides xdg-open which can be used by your application to launch browsers: just use xdg-open https://... and snapd will launch the user’s configured browser on behalf of your application.


#3

OK, so I’ve now got ZAP able to write the the users home dir without using classic confinement.
But we cant use xdg-open to launch the users configured browser, thats not what we are trying to do.
ZAP is a security tool which acts as a man-in-the-middle proxy.
We provide the option to launch any of the user’s installed browsers (firefox, Chrome etc) which a new profile, configured to proxy through ZAP and set up to ignore the certificate warnings that would result in using ZAP’s root CA certificate.
For more info see https://zaproxy.blogspot.com/2017/08/zap-browser-launch.html


#4

Oh, and just in case people get nervous about the term ‘man-in-the-middle’ - ZAP is a well respected security tool and an OWASP flagship project: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project :slight_smile:


#5

Any update on this?
@jdstrand, anyone else??


#6

Sorry for the delay. Since you are creating profiles for different browsers on the fly, this would require writing to ~/.config, ~/.mozilla, etc as well as ~/snap/{chromium-browser,firefox,brave,etc. This is not currently supported by strict confinement and therefore the requirements for classic are understood.

@Wimpress, @popey, @Igor, @evan - can one of you take a look at this, bet the publisher, etc?


#7

Just let me know what you need to know in order to vet us :slight_smile:


#8

how’s the timing of the to-be-named dotfiles interface, vs classic for this?


#9

Given that launching specific browsers with specific profiles is outside of the scope of xdg-open, I’m not sure the dotfiles interface would be sufficient to allow strict confinement here.

Assuming @psiinon doesn’t want to ship every browser in his snap, it’d need access to the host file system and the ability to launch executables that probably won’t work with strict confinement.


#10

Thats right, we want to be able to use any browser that the user has installed. Especially as they might have installed additional browser add-ons that they still want to use.


#11

For the reasons @jamesh mentioned and for needing to access for other browser snaps (that could perhaps become an interface at some point, but that is a bit weird-- the snapped browsers would have to participate to become slot implementations, which requires a lot of coordination between zap and the browsers), this wouldn’t be sufficient.


#12

So … all agreed we need 'classic’ confinement?
What steps do you need to take in order to vet us?


#13

Gentle reminder for one of @Wimpress, @popey, @Igor, @evan to have a look at this :wink:


#14

Any feedback on when this might get looked at? 30 days now and counting…


#15

Having this as a snap would be really great.


#16

We have one in the beta and edge channels, but we wont be able to publish it as stable until this review is complete :confused:


#17

@Wimpress, @popey, @Igor, @evan Its over a month since I opened this now, and no feedback for 2 weeks. Are we wasting our time trying to release a ZAP snap?


#18

Apologies for the delay @psiinon. I’ve vetted, and +1 for classic confinement for ZAP.


#19

Great! Whats the process now? Do we need more approvals or ??


#20

I’ve granted the use of classic. This is now live.

@psiinon - please either upload a new revision of the snap or request a manual review for revision 3. Future uploads should pass automated review.