From 9617537561014fc236a34c9e149c965af72a8c33 Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Sun, 21 Sep 2025 09:09:55 +0800 Subject: [PATCH] docs: note acap 2.0 security mitigation plans in github issue for detailed reference --- .../announcements/firebase-storage-2024.mdx | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/pages/announcements/firebase-storage-2024.mdx b/docs/pages/announcements/firebase-storage-2024.mdx index 3c176d14..c0b9d719 100644 --- a/docs/pages/announcements/firebase-storage-2024.mdx +++ b/docs/pages/announcements/firebase-storage-2024.mdx @@ -136,12 +136,10 @@ _All Firebase components service usage (including those not used by ACAP) will o Yes. Some of the latest core deliverables implemented for ACAP in its [2.0](/changelog/#version-2-acap-20) version [**introduced security considerations**](/changelog#acap-2-security-debts) not present in the initial ([1.0](/changelog/#version-1-acap-10)) version, which followed a more rigid [security model](/security) that adhered to best practices in web development security. The security changes in **version 2.0** resulted in a **measured reduction in coverage compared to version 1.0, based on established criteria.** (see table below) - -> With **ACAP 2.0+**, core development transitioned to a new lead programmer who made changes to improve development speed. As part of this effort, they introduced a more flexible Firestore database setup, which streamlined workflows. While these adjustments optimized workflows, they also altered security rules, introducing new considerations that require further refinements to align with [best practices](/security). -> -> The lead programmer is aware of these trade-offs, and since the lead programmer made these changes, they remain the best point of contact for security updates and fixes. -> -> For more details on these changes, refer to this GitHub [issue](https://github.com/amia-cis/acap-v2/issues/57) in the parent **acap-v2** repository, which provides a summary of the lead programmer's upcoming fixes and improvements. + +_The development strategy for [**ACAP 2.0 - 2.1**](/changelog/#version-2-acap-20) prioritized rapid feature delivery. To achieve this, it adopted a more flexible Firestore database management setup that [altered security rules](/security/#firestore-database-rules). While these adjustments streamlined workflows, they also introduced new security considerations that require further refinements to align with [best practices](/security)._ + +_These known issues, including potential XSS vulnerabilities and the need for stricter data validation, are being tracked and are slated for future refinement. For a detailed technical breakdown and status, please see [**Issue #57**](https://github.com/amia-cis/acap-v2/issues/57) in the (private) [**acap-v2**](https://github.com/amia-cis/acap-v2) parent repository._ ##### ACAP Security Criteria @@ -200,19 +198,21 @@ Before activating a paid Firebase subscription, consider whether unresolved [ACA ``` For more details, see [ACAP Security Technical Debts](/changelog/#acap-2-security-debts). -If these issues with specific information (available at the (private) parent **acap-v2** GitHub Repository Issues list [[1]](https://github.com/amia-cis/acap-v2/issues/57) and [[2]](https://github.com/amia-cis/acap-v2/issues/34)) remain unaddressed, it may be beneficial to consult the new ACAP Maintainer who is also the lead ACAP programmer responsible for designing and implementing [ACAP 2.0](/changelog/#version-2-acap-20) before activating a paid Firebase subscription. -Key topics to discuss include: +The [ACAP 2.0 codebase](https://github.com/amia-cis/acap-v2) contains known security vulnerabilities, including lenient Firestore rules and a potential for Cross-Site Scripting (XSS) attacks. Activating a paid Firebase subscription before these issues are resolved could lead to data breaches and unexpected costs. Please review the **mitigation plan** in [**Issue #57**](https://github.com/amia-cis/acap-v2/issues/57) before proceeding. -- How security concerns introduced in ACAP 2.0+ are being addressed -- Plans for improving security and risk mitigation before enabling Firebase - -#### Next Steps for Developers +#### Next Steps for Developers Before Activating Paid Plans: +- **Consult the new ACAP Maintainer/Lead programmer** who led the **ACAP 2.0 major features development** for current mitigation strategies and planned fixes of the security concerns introduced in ACAP 2.0. + > Please review their **security mitigation plan** in [**Issue #57 - 2024 ACAP Updates Summary**](https://github.com/amia-cis/acap-v2/issues/57) (private GitHub repository - access available upon request) before proceeding. + > Key topics to discuss include: + > - How security concerns, GitHub Issues [[#34]](https://github.com/amia-cis/acap-v2/issues/34)[[#57]](https://github.com/amia-cis/acap-v2/issues/57) introduced in ACAP 2.0+ (available at the private parent [**acap-v2**](https://github.com/amia-cis/acap-v2/issues/57) GitHub Repository) are being addressed, including ongoing items. + > - Plans for improving security and risk mitigation before enabling Firebase - **Review the Firestore security rules** to restrict direct database writes. - **Check for XSS vulnerabilities** in crop recommendations and apply sanitization. - **Monitor database writes** for unstructured or excessive storage. -- **Consult the new ACAP Maintainer who is also the lead ACAP programmer responsible for implementing the core [version 2.0+](/changelog/#version-2-acap-20)** deliverables for current mitigation strategies and planned fixes. +- 👉 **Be mindful of ACAP's [Security Guidelines](/security) and [Security Best Practices](http://localhost:3000/articles/security-bestpractices/)** when developing new features. +