Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(lavamoat/lavadome): update integration to improve security #25653

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(lavamoat/lavadome): update integration to improve security #25653

wants to merge 7 commits into from
+8 −4

Conversation

weizman
Copy link
Member

@weizman weizman commented Jul 3, 2024
edited
Loading

Address concerns under Safe Usage:

  • #csp - do not allow font to be fetched from just about anywhere
  • #execution-order - make sure LavaDome is imported right away

This should go with #27756

@metamaskbot

This comment was marked as outdated.

Sign in to view
@codecov Codecov
Copy link

codecov bot commented Jul 3, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.02%. Comparing base (eadc707) to head (6338a91).
Report is 10 commits behind head on develop.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop   #25653   +/-   ##
========================================
  Coverage    70.02%   70.02%           
========================================
  Files         1443     1443           
  Lines        50164    50164           
  Branches     14039    14039           
========================================
  Hits         35126    35126           
  Misses       15038    15038

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@weizman weizman changed the title draft - require lavadome early enough to win security feat(lavamoat/lavadome): require early enough to win security Jul 3, 2024
@weizman weizman changed the title feat(lavamoat/lavadome): require early enough to win security Improve LavaDome integration to improve security Jul 3, 2024
@metamaskbot metamaskbot added the INVALID-PR-TEMPLATE PR's body doesn't match template label Jul 3, 2024
@weizman weizman changed the title Improve LavaDome integration to improve security feat(lavamoat/lavadome): update integration to improve security Jul 3, 2024
@weizman weizman marked this pull request as ready for review July 3, 2024 17:05
@weizman weizman requested a review from a team as a code owner July 3, 2024 17:05
@metamaskbot

This comment was marked as outdated.

Sign in to view
greptile-apps[bot]

This comment was marked as off-topic.

Sign in to view

@metamaskbot

This comment was marked as outdated.

Sign in to view
greptile-apps[bot]

This comment was marked as off-topic.

Sign in to view

greptile-apps[bot]

This comment was marked as off-topic.

Sign in to view

@sonarqubecloud SonarQubeCloud

This comment was marked as outdated.

Sign in to view
@metamaskbot

This comment was marked as outdated.

Sign in to view
@weizman
Copy link
Member Author

weizman commented Jul 31, 2024

6bdd808 passed successfully

@sonarqubecloud SonarQubeCloud

This comment was marked as outdated.

Sign in to view
@metamaskbot
Copy link
Collaborator

Builds ready [6338a91]
Page Load Metrics (1744 ± 91 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint24524371686399192
domContentLoaded14162142171218288
load14652262174419091
domInteractive149335209
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@weizman weizman mentioned this pull request Oct 10, 2024
Closed
@legobeat legobeat force-pushed the weizman-patch-lavadome-try branch from 6338a91 to f7a170b Compare October 15, 2024 06:51
@legobeat legobeat force-pushed the weizman-patch-lavadome-try branch from f7a170b to 965044f Compare October 16, 2024 01:29
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@metamaskbot
Copy link
Collaborator

Builds ready [965044f]
Page Load Metrics (1949 ± 214 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint30134531866574276
domContentLoaded145634241910445214
load147434591949446214
domInteractive25185584421
backgroundConnect1188412512
firstReactRender462021074521
getState481202411
initialActions01000
loadScripts101225211423345166
setupStore1094382914
uiStartup180838082199469225
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@metamaskbot
Copy link
Collaborator

Builds ready [ad0e483]
Page Load Metrics (1878 ± 64 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint16732201188513465
domContentLoaded16312158183912761
load16732201187813464
domInteractive1697472110
backgroundConnect992412612
firstReactRender572051002713
getState568212110
initialActions01000
loadScripts11721722137712861
setupStore106521157
uiStartup18302360208514168
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

davidmurdoch
davidmurdoch reviewed Dec 10, 2024
View reviewed changes
app/scripts/ui.js
@@ -1,5 +1,9 @@
// Disabled to allow setting up initial state hooks first

// This import sets up safe intrinsics required for LavaDome to function securely.
// It must be run first so that no other code can undermine it.
import '@lavamoat/lavadome-react';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are the intrinsic not sufficiently protected by lavamoat?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no because LavaMoat protects TC39 JS intrinsics without taking platform oriented intrinsics into account (such as dom/web apis)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just FYI: there are 8 or 9 other files that already run before this "first" thing here (not including the lavamoat runtime wrapper):

  • _initialize.ts (in webpack build only)
  • sentry-install
  • @lavamoat/snow/snow.prod
  • use-snow
  • lockdown-install
  • lockdown-run
  • lockdown-more
  • init-globals
  • runtime-cjs

And the next line after this import '@lavamoat/lavadome-react'; is:

// This import sets up global functions required for Sentry to function.
// It must be run first in case an error is thrown later during initialization.
import './lib/setup-initial-state-hooks';

So it is looking like we have a few files that already run before our "first" files, and we have two files that now "must be run first" (that won't be). I don't mind having a "first" comment in this file (despite it not actually being first in the context of the entire application), but we should certainly have only one of these comments in this file.

My current thinking is that ./lib/setup-initial-state-hooks should be run before lavadome-react unless you can guarantee that @lavamoat/lavadome-react will absolutely never be the cause of an error.

In either case (setup-initial-state-hooks or lavadoem-react running "first"), can you update the comments to reflect their actual "firstness"? :-)

@weizman weizman requested a review from davidmurdoch January 14, 2025 10:01
@metamaskbot
Copy link
Collaborator

Builds ready [a1b9251]
Page Load Metrics (1567 ± 47 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1397186015759746
domContentLoaded1354178615418842
load1362186515679747
domInteractive198836199
backgroundConnect780302311
firstReactRender16103433015
getState55216136
initialActions0724168
loadScripts995132011407436
setupStore787202613
uiStartup157822891928215103
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@metamaskbot
Copy link
Collaborator

Builds ready [bfb52b7]
Page Load Metrics (1602 ± 45 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint14291819160910048
domContentLoaded1393175415619445
load1440182516029545
domInteractive20112402311
backgroundConnect9183433919
firstReactRender1595473014
getState583182311
initialActions01000
loadScripts1019137411738842
setupStore681172211
uiStartup167523921967223107
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@davidmurdoch davidmurdoch Awaiting requested review from davidmurdoch

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
INVALID-PR-TEMPLATE PR's body doesn't match template team-lavamoat
Projects
PR review queue
Status: Needs dev review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@weizman @metamaskbot @davidmurdoch