保护链接到授权触发器的Google Apps脚本的安全性,以便其他人可以进行编辑 [英] securing a Google Apps Script linked to an authorized trigger so others can edit
问题描述
我非常确定我的理解是正确的,但是由于找不到任何我想在这里明确指出的Google文档.
I am pretty sure my understanding is correct but since I cannot find any Google documentation that explicitly highlights this I wanted to ask here.
每个 https://developers.google.com/apps-script/指南/触发器/可安装:
可安装触发器始终以创建它们的人的身份运行.
Installable triggers always run under the account of the person who created them.
我们知道,当您创建触发器时,它将要求对脚本使用的所有范围进行授权.
And we know that when you create a trigger it will ask to authorize for all the scopes the script uses.
然后,这意味着对脚本具有编辑访问权的任何人都可以利用用于创建触发器的用户的Google身份来访问触发器被授权的作用域.
Then, that means that anyone with edit access to the script could leverage the Google identity of the user used to create the trigger to access the scopes the trigger is authorized for.
例如:
- 用户1创建一个Google Apps脚本,该脚本使用 GmailApp 发送电子邮件(即
GmailApp.sendEmail("one@example.com",测试主题",电子邮件正文");) - 用户1创建触发器以每小时运行一次所述脚本,并使用适当的GmailApp范围对其进行授权
- 用户1授予用户2对所述脚本的编辑访问权限
- User 1 creates a Google Apps Script that uses GmailApp to send an e-mail
(i.e.
GmailApp.sendEmail("one@example.com", "test subject", "email body");) - User 1 creates a trigger to run said script every hour and authorizes it with the appropriate GmailApp scopes
- User 1 gives User 2 edit access to said script
现在,用户2可以进入该脚本并更改代码并访问用户1的Gmail帐户.例如,用户2可以将代码更改为:
Now, User 2 can go into said script and make changes to the code and access User 1's Gmail account. For example, user 2 could change the code to:
var emails = GmailApp.search("search string to find sensitive emails")
// use GmailApp.sendEmail to forward those details to someone else like User 2
他们要做的就是更改代码并保存;他们不需要重新创建触发器,因为它已经存在.下次运行触发器时,它将运行更新/更新的代码.
All they would have to do is make changes to the code and save; they wouldn't need to re-create the trigger since it already exists. And the next time the trigger runs it would run the newer/updated code.
我可以通过在一个帐户上创建测试脚本并授予另一个帐户编辑权限来确认此行为.
I was able to confirm this behavior by creating a test script on one of my accounts and giving another account edit access.
所以我的问题是,减轻这种风险的官方/推荐方法是什么?显而易见的答案是不给其他任何人编辑权限,但是如果这不是一个选择,怎么办?如果出于支持目的,多个人需要能够访问脚本,那又该怎么办?
So my question is, what is the official/recommended way to mitigate this risk? The obvious answer is to not give anyone else edit access but what if that is not an option -- what if for support purposes multiple people need to be able to access the script, then what?
推荐答案
正如您所说,唯一的官方/推荐方法是将编辑权限限制为受信任的人员.
As you say, the only official/recommend way is to limit editing access to trusted persons.
在您的特定示例中,用户1可能选择了MailApp而不是GmailApp.这两个看似多余的服务可单独使用,因为与GmailApp相比,MailApp拥有的特权非常有限.(例如,用户2无法使用MailApp服务搜索受害Gmail.)
In your particular example, User 1 could have chosen MailApp instead of GmailApp. The two seemingly redundant services are available separately because MailApp has very limited privledges exposed compared to GmailApp. (For instance, User 2 cannot search the victims Gmail with the MailApp service.)
您可以进行协作,同时避免使用 clasp 和 git 直接访问脚本文件.只有您用 clasp 推送到脚本.其他所有人都通过 git 提交更改.您可以将系统设置为全自动(即 git push 触发 clasp push )或手动(即先查看所有更改),无论哪种方式都可以使用 git 时谁做了什么的记录.
You can collaborate while avoiding giving direct access to your script file using clasp and git. Only you push with clasp to the script. Everyone else submits changes through git. You can setup the system to be fully automatic (i.e. a git push triggers a clasp push) or manual (i.e. you review all changes first), bit either way you have good records of who did what, when with git.
这篇关于保护链接到授权触发器的Google Apps脚本的安全性,以便其他人可以进行编辑的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
