Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add SES to wallet-mobile #420

Merged
merged 43 commits into from
Nov 7, 2024
Merged

feat: add SES to wallet-mobile #420

merged 43 commits into from
Nov 7, 2024

Conversation

andreabadesso
Copy link
Contributor

@andreabadesso andreabadesso commented Jan 22, 2024
edited
Loading

Motivation

We want to defend against supply chain attacks as those kind of attacks have already hit the cryptocurrency ecosystem and present a significant risk for our developers and users of our wallets and apps.

This PR is part of a series of PRs using a set of tools called LavaMoat to improve security on our Javascript projects with a set of good defaults, preventing us from having to rewrite them from scratch

Important: SES is not yet fully compatible with react-native, there is a compatibility tracker issue here

What is not yet supported (that affect us)?

  • Lockdown for react-native dependencies
  • Building the app using lavamoat-node
  • Hermes
  • Policy generation
  • allow-list for react-native dependencies

Also, to prevent multiple patches in react-native, we had to inject SES in a patch to react-native's initializeCore method, so it gets loaded before anything else in our bundle

Acceptance Criteria

  • We should be able to defend agains't prototype pollution and poisoning attacks coming from the installed libs and their dependencies by using SES
  • We should have control over which dependencies are able to run postinstall scripts, blocking all the rest by using LavaMoat allow-scripts
  • We should use the hathor-unleash-client instead of the official unleash javascript client, which is a watered-down version of it, with only the features we use
  • We should inject SES as soon as possible, so we should patch react-native to inject it before react-native initialization

Security Checklist

  • Make sure you do not include new dependencies in the project unless strictly necessary and do not include dev-dependencies as production ones. More dependencies increase the possibility of one of them being hijacked and affecting us.

@andreabadesso andreabadesso self-assigned this Jan 22, 2024
@andreabadesso andreabadesso added the enhancement New feature or request label Jan 22, 2024
@andreabadesso andreabadesso force-pushed the feat/lavamoat-integration branch 2 times, most recently from 2479ce2 to 4b42122 Compare January 29, 2024 16:53
@andreabadesso andreabadesso changed the base branch from dev to refactor/using-hathor-unleash-client January 29, 2024 18:27
@andreabadesso andreabadesso force-pushed the feat/lavamoat-integration branch 2 times, most recently from e7261a1 to 752c1db Compare January 30, 2024 14:52
@andreabadesso andreabadesso requested review from r4mmer and tuliomir and removed request for r4mmer January 30, 2024 16:10
msbrogli
msbrogli previously requested changes Jan 30, 2024
View reviewed changes
package.json Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
tuliomir
tuliomir reviewed Jan 31, 2024
View reviewed changes
Copy link
Contributor

@tuliomir tuliomir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: It looks good to me, but I feel there's something missing on the documentation on how to maintain the code from now on.

When we add new dependencies, should we change anything on the lavamoat files, or only on the "lavamoat" config inside the package.json?

thought: Since this will be a primary concern for any modifications on our dependencies, I think it's important to document it better on the readme file. Both for Hathor Labs devs and for the community members that wish to contribute.

package.json Show resolved Hide resolved
README.md Show resolved Hide resolved
lockdown.umd.js Outdated Show resolved Hide resolved
@naugtur
Copy link

naugtur commented Feb 6, 2024

Hi. I think we could chat about what we're working on in LavaMoat. Get in touch if you think so too :)

@andreabadesso
Copy link
Contributor Author

Hi. I think we could chat about what we're working on in LavaMoat. Get in touch if you think so too :)

Hey @naugtur, thanks for reaching out!

I've just sent you a DM on twitter, please tell me if this is the best way to contact you

Base automatically changed from refactor/using-hathor-unleash-client to master February 8, 2024 15:34
@andreabadesso andreabadesso force-pushed the feat/lavamoat-integration branch from 8ecb435 to 0628d10 Compare February 15, 2024 14:00
@andreabadesso andreabadesso force-pushed the feat/lavamoat-integration branch from 0628d10 to a54da44 Compare March 25, 2024 18:02
@naugtur
Copy link

naugtur commented Apr 12, 2024

Update on our progress:

  • we're making changes to SES lockdown that will let it work under Hermes. (Currently only async support is problematic)
  • of you want runtime protections and can switch away from Hermes, any other engine can work. Current release of the webpack plugin is working for web targets. If you use the webpack based build tool from Callstack you could try out lavamoat plugin for webpack. We're planning to test.it ourselves after the work on SES above.

BTW
Consider just switching to socketsupply.co

@andreabadesso andreabadesso force-pushed the feat/lavamoat-integration branch from d3f602a to 98b3ac1 Compare April 15, 2024 16:18
tuliomir
tuliomir reviewed Apr 22, 2024
View reviewed changes
src/sagas/ses.js Outdated Show resolved Hide resolved
src/sagas/ses.js Show resolved Hide resolved
src/sagas/ses.js Show resolved Hide resolved
src/sagas/ses.js
// SES was enabled, we should disable it in storage which gets read in the
// react-native initialization (more on this in patches/react-native+0.72.5.patch)
// and restart the react-native bundle.
disableSes();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: If there is a problem with the Unleash connection or with the MMKV storage, is there a chance of the application entering an infinite loop of self restarting?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is a problem with the Unleash connection, we would default to false (we could also default to true, not sure if we want to do this in the first release though), which would cause this method to be called

If there is a problem with the MMKV storage it would indeed cause a infinite restart loop, but I don't see how this could happen without us catching it in QA or internal tests...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest adding a comment or opening an issue/KTLO to address this in the future.

I agree that the QA would get this situation, but our QA is pretty big already and there is a possibility of human error.

In my opinion, this is not critical enough to demand a fix right now, but it's a nice to have for future improvements as a KTLO.

src/sagas/ses.js Show resolved Hide resolved
@tuliomir tuliomir mentioned this pull request Apr 22, 2024
Open
1 task
tuliomir
tuliomir approved these changes Apr 24, 2024
View reviewed changes
src/sagas/ses.js
// SES was enabled, we should disable it in storage which gets read in the
// react-native initialization (more on this in patches/react-native+0.72.5.patch)
// and restart the react-native bundle.
disableSes();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest adding a comment or opening an issue/KTLO to address this in the future.

I agree that the QA would get this situation, but our QA is pretty big already and there is a possibility of human error.

In my opinion, this is not critical enough to demand a fix right now, but it's a nice to have for future improvements as a KTLO.

src/sagas/ses.js Outdated
const storage = new MMKV();

function disableSes(restart = true) {
logger.debug('Disabling SAS');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.debug('Disabling SAS');
logger.debug('Disabling SES');

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed! Thanks

pedroferreira1
pedroferreira1 reviewed Oct 24, 2024
View reviewed changes
package.json Show resolved Hide resolved
package.json Show resolved Hide resolved
src/sagas/ses.js Outdated Show resolved Hide resolved
src/sagas/ses.js Outdated Show resolved Hide resolved
SES_AND_LAVAMOAT.md Outdated Show resolved Hide resolved
patches/react-native+0.72.5.patch Outdated Show resolved Hide resolved
package.json Show resolved Hide resolved
@andreabadesso andreabadesso changed the title feat: lavamoat integration feat: add SES to wallet-mobile Oct 28, 2024
pedroferreira1
pedroferreira1 reviewed Nov 4, 2024
View reviewed changes
patches/intl+1.2.5.patch Outdated Show resolved Hide resolved
package.json Outdated Show resolved Hide resolved
@andreabadesso
chore: added postinstall to setup script and updated packages
76effcc
@andreabadesso
chore: fixed allow-scripts version
b7dae59
@andreabadesso
chore: added patch-package to postinstall
c65da15
@andreabadesso
chore: added MKMV to podfile.lock
b04fd0b
@andreabadesso
chore: reading ses enabled from constant
f84d24d
@andreabadesso
feat: yield fatal error when SES should be enabled but is not
c1540f0
@andreabadesso
refactor: improved verifySesEnabled method
41b35f9
@andreabadesso
feat: update SES to 1.5.0
b95b273
@andreabadesso
feat: patched intl to work in SES
0ae27ef
@andreabadesso
refactor: updated react-native patch import order
fc4c613
@andreabadesso
feat: improved logging and updated podfile with sentry update and mmkv
7c8b645
@andreabadesso
fix: typo
64b89bd
@andreabadesso
docs: improved comment on unleash disabled
1e301c6
@andreabadesso
refactor: use isSESEnabled
fdcd8e3
@andreabadesso
chore: updated sha256sums
4ff93b0
@andreabadesso
docs: updated SES_AND_LAVAMOAT document with better explanation on SES
aed3d0c
@andreabadesso
refactor: disabled hermes on android
045e9e9
@andreabadesso
refactor: updated react-native patch, removed unused changes
aa85a21
@andreabadesso
refactor: updated intl patch to remove unused implementation
9b51b60
@andreabadesso
chore: added comment on react-native patch
8e8af18
@andreabadesso
chore: removed exit 1 from preinstall on root
bb4f43a
@andreabadesso andreabadesso force-pushed the feat/lavamoat-integration branch from 6084586 to 4c95a93 Compare November 7, 2024 01:42
@andreabadesso andreabadesso force-pushed the feat/lavamoat-integration branch from 4c95a93 to e9a0644 Compare November 7, 2024 01:43
@pedroferreira1 pedroferreira1 removed the request for review from msbrogli November 7, 2024 01:46
@andreabadesso andreabadesso dismissed msbrogli’s stale review November 7, 2024 01:56

Reviewed all threads

@andreabadesso andreabadesso merged commit 2a65bf2 into master Nov 7, 2024
1 check passed
@andreabadesso andreabadesso deleted the feat/lavamoat-integration branch November 7, 2024 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msbrogli msbrogli msbrogli left review comments

@pedroferreira1 pedroferreira1 pedroferreira1 approved these changes

@tuliomir tuliomir tuliomir approved these changes

Assignees

@andreabadesso andreabadesso

Labels
enhancement New feature or request
Projects
Hathor Network
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@andreabadesso @naugtur @msbrogli @tuliomir @pedroferreira1 @alexruzenhack