[Threat Modelling] Ensure risky payload from 3rd party services will be handled properly by the Compass Manager:

[tobiscr]

Description

An attacker could inject malicious cause into consumed 3rd party services and Compass Manager is receiving risky payloads from these systems.

We have to ensure that payload of 3rd party services is, even if it's malicious, won't lead to security problems for the. Compass Manager.

AC:

• The Compass Manager has to be able to deal with unexpected huge payload properly by adding upload-limits (e.g. max. 2MB per HTTP response)
• The payload of responses has to be evaluated and discarded if it's not compliant with the agreed technical contract (e.g. apply data validation via JSONSchema, if JSON is expected discard any other input format etc.)
• If data of received payload is used for further processing, a sanity check has to happen for these data (e.g. max-string lengh, check for patterns etc.) and they have to be treated as untrusted data.

Steps to exploit

Attacker injects unexpected payload into the response of a 3rd party system.

Risk assessment
Part of the Threat Modelling workshop from 2023-11-29.

Proposed mitigation

Establish security mechanisms to handle malicious properly.

[tobiscr]

Mural Board: https://app.mural.co/t/sap10/m/sap10/1701162989605/93d8a5cfd1937c1ed568d324926d51d6d4c96669?sender=u03d165e43fbc397bd7057627