Security model of embedded apps

kohsuke · September 16, 2024, 10:12pm

Hi,

We are a SaaS company. So far we've been using Retool as an internal tool within the company, but we are exploring the possibility of using retool to build a prototype for our customers. In order to assess the security of this, I'd like to better understand the security/threat model of a retool application, especially in the context of the embedded use.

If you think about a "normal" webapp, the security model is that the frontend has no integrity (meaning, an attacker can tamper and modify the frontend code that runs in their browser), but we can assume integrity in the backend. This is why nobody designs a frontend that constructs an SQL statement and the backend that executes it.

With retool, it's not clear how we should think about this. Which part of the system can we assume integrity? Or put differently, which part of Retool reside on the server side vs the client side? I think this is a crucial information every embedded app developer should want to know.

Just in case this is a little too abstract, what I think we need is a tamper proof path for our backend to pass some values to the retool app, and for the retool app to use those in the query.

Think the tenant ID in a multi-tenant SaaS. Our backend authenticates the user, ascertains the tenant ID of this user. I need to be able to pass this to retool, so that the query like "SELECT * FROM data WHERE tenant={{tenantId}}" will always use the tenant ID our backend has passed and nothing else.

I don't think the data property and the "parent window" query would meet this bar. The 'metadata' in embed URL might be it, but I cannot tell from the documentation. That section refers to query variable spoofing prevention, but that description is actually worrisome than reassuring.

It cites current_user.groups.map(group => group.name) as an example that CAN be spoofed, and the only way in which this can be spoofed is that this JavaScript is evaluated in browsers, not on the server side, which suggests the security model is pretty much "any prepared statements used in the app can be invoked any time with any values, except when those arguments are defined trivially coming from current_user object. IOW, it's much much closer to the "frontend constructs an SQL statement and backend executes it" model that nobody does for good reasons.

Your help is greatly appreciated. To reiterate, I cannot assess this from my side, and if I build something based on the wrong assumption, I could end up exposing every customer's data to an attacker, which is a fireable negligence.

Thank you!

lukew · September 17, 2024, 12:04am

Hey kohsuke,

Great question. The fundamental security consideration in embed that needs to be gotten right is that you call the Embed API from your backend (as opposed to the browser). You're correct that user metadata is where you should be passing anything that shouldn't be manipulated on the frontend. Your app will then be able to query based on that metadata (so something like current_user.metadata.tenant_id )

Hope this helps, let me know if you've got any other questions.
-- Luke

kohsuke · September 17, 2024, 2:07am

Thanks Luke for confirming some of my assumptions. Yes, it's a given that the embed API must be invoked from the backend.

Can you confirm my assumption that stuffing data to 'metadata' is not enough? It has to be then used in a trivial property reference form of {{ current_user.metadata.x.y.z }}? The moment you have any logic in it, such as {{ current_user.metadata.x+1 }} all bets are off.

lukew · September 17, 2024, 5:04pm

Yes you should directly reference the property.