Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(lavamoat/lavadome): update integration to improve security #25653

Merged
merged 9 commits into from
Jan 21, 2025

Conversation

weizman
Copy link
Member

@weizman weizman commented Jul 3, 2024

Address concerns under Safe Usage:

  • #csp - do not allow font to be fetched from just about anywhere
  • #execution-order - make sure LavaDome is imported right away

This should go with #27756

@metamaskbot

This comment was marked as outdated.

Copy link

codecov bot commented Jul 3, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.02%. Comparing base (eadc707) to head (6338a91).
Report is 10 commits behind head on develop.

Additional details and impacted files
@@           Coverage Diff            @@
##           develop   #25653   +/-   ##
========================================
  Coverage    70.02%   70.02%           
========================================
  Files         1443     1443           
  Lines        50164    50164           
  Branches     14039    14039           
========================================
  Hits         35126    35126           
  Misses       15038    15038           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@weizman weizman changed the title draft - require lavadome early enough to win security feat(lavamoat/lavadome): require early enough to win security Jul 3, 2024
@weizman weizman changed the title feat(lavamoat/lavadome): require early enough to win security Improve LavaDome integration to improve security Jul 3, 2024
@metamaskbot metamaskbot added the INVALID-PR-TEMPLATE PR's body doesn't match template label Jul 3, 2024
@weizman weizman changed the title Improve LavaDome integration to improve security feat(lavamoat/lavadome): update integration to improve security Jul 3, 2024
@weizman weizman marked this pull request as ready for review July 3, 2024 17:05
@weizman weizman requested a review from a team as a code owner July 3, 2024 17:05
@metamaskbot

This comment was marked as outdated.

greptile-apps[bot]

This comment was marked as off-topic.

@metamaskbot

This comment was marked as outdated.

greptile-apps[bot]

This comment was marked as off-topic.

greptile-apps[bot]

This comment was marked as off-topic.

This comment was marked as outdated.

@metamaskbot

This comment was marked as outdated.

@weizman
Copy link
Member Author

weizman commented Jul 31, 2024

6bdd808 passed successfully

This comment was marked as outdated.

@metamaskbot
Copy link
Collaborator

Builds ready [6338a91]
Page Load Metrics (1744 ± 91 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint24524371686399192
domContentLoaded14162142171218288
load14652262174419091
domInteractive149335209
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@legobeat legobeat force-pushed the weizman-patch-lavadome-try branch from f7a170b to 965044f Compare October 16, 2024 01:29
Copy link

@metamaskbot
Copy link
Collaborator

Builds ready [965044f]
Page Load Metrics (1949 ± 214 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint30134531866574276
domContentLoaded145634241910445214
load147434591949446214
domInteractive25185584421
backgroundConnect1188412512
firstReactRender462021074521
getState481202411
initialActions01000
loadScripts101225211423345166
setupStore1094382914
uiStartup180838082199469225
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@metamaskbot
Copy link
Collaborator

Builds ready [ad0e483]
Page Load Metrics (1878 ± 64 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint16732201188513465
domContentLoaded16312158183912761
load16732201187813464
domInteractive1697472110
backgroundConnect992412612
firstReactRender572051002713
getState568212110
initialActions01000
loadScripts11721722137712861
setupStore106521157
uiStartup18302360208514168
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@@ -1,5 +1,9 @@
// Disabled to allow setting up initial state hooks first

// This import sets up safe intrinsics required for LavaDome to function securely.
// It must be run first so that no other code can undermine it.
import '@lavamoat/lavadome-react';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are the intrinsic not sufficiently protected by lavamoat?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no because LavaMoat protects TC39 JS intrinsics without taking platform oriented intrinsics into account (such as dom/web apis)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just FYI: there are 8 or 9 other files that already run before this "first" thing here (not including the lavamoat runtime wrapper):

  • _initialize.ts (in webpack build only)
  • sentry-install
  • @lavamoat/snow/snow.prod
  • use-snow
  • lockdown-install
  • lockdown-run
  • lockdown-more
  • init-globals
  • runtime-cjs

And the next line after this import '@lavamoat/lavadome-react'; is:

// This import sets up global functions required for Sentry to function.
// It must be run first in case an error is thrown later during initialization.
import './lib/setup-initial-state-hooks';

So it is looking like we have a few files that already run before our "first" files, and we have two files that now "must be run first" (that won't be). I don't mind having a "first" comment in this file (despite it not actually being first in the context of the entire application), but we should certainly have only one of these comments in this file.

My current thinking is that ./lib/setup-initial-state-hooks should be run before lavadome-react unless you can guarantee that @lavamoat/lavadome-react will absolutely never be the cause of an error.

In either case (setup-initial-state-hooks or lavadoem-react running "first"), can you update the comments to reflect their actual "firstness"? :-)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As for the phrasing b45f3c4.

Regarding sentry before lavadome, i understand your concern, but eventually, ./lib/setup-initial-state-hooks transitively requires tons of stuff that can end up undermining crucial LavaMoat related protections. This includes Snow, LavaMoat and LavaDome too - all of which we decided to trust to run before any other code we can't 100% trust. Just like LavaMoat and Snow, LavaDome can potentially cause an error, but we take all the measures needed to mitigate this risk as much as possible, and live with any small risk left of causing error, knowing that it's worth deploying powerful defense to our runtime environment.

@weizman weizman requested a review from davidmurdoch January 14, 2025 10:01
@metamaskbot
Copy link
Collaborator

Builds ready [a1b9251]
Page Load Metrics (1567 ± 47 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1397186015759746
domContentLoaded1354178615418842
load1362186515679747
domInteractive198836199
backgroundConnect780302311
firstReactRender16103433015
getState55216136
initialActions0724168
loadScripts995132011407436
setupStore787202613
uiStartup157822891928215103
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@metamaskbot
Copy link
Collaborator

Builds ready [bfb52b7]
Page Load Metrics (1602 ± 45 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint14291819160910048
domContentLoaded1393175415619445
load1440182516029545
domInteractive20112402311
backgroundConnect9183433919
firstReactRender1595473014
getState583182311
initialActions01000
loadScripts1019137411738842
setupStore681172211
uiStartup167523921967223107
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@metamaskbot
Copy link
Collaborator

Builds ready [12c8181]
Page Load Metrics (1660 ± 48 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint14671887166410551
domContentLoaded14581874164210048
load14671886166010048
domInteractive266844157
backgroundConnect66219199
firstReactRender1585472512
getState420742
initialActions01000
loadScripts1036142512129546
setupStore65512147
uiStartup16842325195517483
Bundle size diffs
  • background: 0 Bytes (0.00%)
  • ui: 134 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

Copy link
Contributor

@naugtur naugtur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setup makes sense

@weizman weizman added this pull request to the merge queue Jan 21, 2025
Merged via the queue into main with commit bb9250d Jan 21, 2025
72 checks passed
@weizman weizman deleted the weizman-patch-lavadome-try branch January 21, 2025 07:52
@github-actions github-actions bot locked and limited conversation to collaborators Jan 21, 2025
@metamaskbot metamaskbot added the release-12.12.0 Issue or pull request that will be included in release 12.12.0 label Jan 21, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
INVALID-PR-TEMPLATE PR's body doesn't match template release-12.12.0 Issue or pull request that will be included in release 12.12.0 team-lavamoat
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants