metamask-extension/app/scripts/lockdown-run.js

// Freezes all intrinsics
try {
  // eslint-disable-next-line no-undef,import/unambiguous
  lockdown({
    consoleTaming: 'unsafe',
    errorTaming: 'unsafe',
    mathTaming: 'unsafe',
    dateTaming: 'unsafe',
    domainTaming: 'unsafe',
    overrideTaming: 'severe',
  });
} catch (error) {
  // If the `lockdown` call throws an exception, it interferes with the
  // contentscript injection on some versions of Firefox. The error is
  // caught and logged here so that the contentscript still gets injected.
  // This affects Firefox v56 and Waterfox Classic.
  console.error('Lockdown failed:', error);
  if (globalThis.sentry && globalThis.sentry.captureException) {
    globalThis.sentry.captureException(
      new Error(`Lockdown failed: ${error.message}`),
    );
  }
}
Add SES lockdown to extension webapp (#9729) * Freezeglobals: remove Promise freezing, add lockdown * background & UI: temp disable sentry * add loose-envify, dedupe symbol-observable * use loose envify * add symbol-observable patch * run freezeGlobals after sentry init * use require instead of import * add lockdown to contentscript * add error code in message * try increasing node env heap size to 2048 * change back circe CI option * make freezeGlobals an exported function * make freezeGlobals an exported function * use freezeIntrinsics * pass down env to child process * fix unknown module * fix tests * change back to 2048 * fix import error * attempt to fix memory error * fix lint * fix lint * fix mem gain * use lockdown in phishing detect * fix lint * move sentry init into freezeIntrinsics to run lockdown before other imports * lint fix * custom lockdown modules per context * lint fix * fix global test * remove run in child process * remove lavamoat-core, use ses, require lockdown directly * revert childprocess * patch package postinstall * revert back child process * add postinstall to ci * revert node max space size to 1024 * put back loose-envify * Disable sentry to see if e2e tetss pass * use runLockdown, add as script in manifest * remove global and require from runlockdown * add more memory to tests * upgrade resource class for prep-build & prep-build-test * fix lint * lint fix * upgrade remote-redux-devtools * skillfully re-add sentry * lintfix * fix lint * put back beep * remove envify, add loose-envify and patch-package in dev deps * Replace patch with Yarn resolution (#9923) Instead of patching `symbol-observable`, this ensures that all versions of `symbol-observable` are resolved to the given range, even if it contradicts the requested range. Co-authored-by: Mark Stacey <markjstacey@gmail.com> 2020-11-24 04:26:43 +01:00			`// Freezes all intrinsics`
Fix contentscript injection failure on Firefox 56 (#10034) On Firefox 56 and Waterfox Classic, our `runLockdown.js` script throws an error. This is fine on the HTML pages, as the next script tags still get run without issue (though they don't benefit from the SES lockdown sadly). But in the `contentscript`, an exception thrown here appears to halt the execution of subsequent scripts. To prevent the `contentscript` from crashing completely, lockdown errors are now caught and logged. They are also logged to Sentry on the pages where Sentry is setup. 2020-12-10 18:33:04 +01:00			`try {`
			`// eslint-disable-next-line no-undef,import/unambiguous`
			`lockdown({`
			`consoleTaming: 'unsafe',`
			`errorTaming: 'unsafe',`
			`mathTaming: 'unsafe',`
			`dateTaming: 'unsafe',`
update ses@0.18.4 (#17521) * update ses import directory * agoric references removed * domainTaming set to unsafe --------- Co-authored-by: legobeat <109787230+legobeat@users.noreply.github.com> 2023-04-27 14:31:52 +02:00			`domainTaming: 'unsafe',`
security - update SES lockdown (#10663) * update ses * build - reference ses directly * deps - unify regenerator-runtime versions on 0.13.7 * patches - apply regenerator-runtime ses compat patch\nhttps://github.com/facebook/regenerator/pull/411 * patches - patch regenerator-runtime for latest ses fix * reduc patch, new lockdown severe override taming * updated redux patch * update redux patch for production * ignore lockdown in lint * deps - bump patch-package just in case * trailing comma * remove ses as dep * fix path for frozen promise * remove js extension in lockdown require * Revert "ignore lockdown in lint" This reverts commit 8cefdc94dd25d7781bb09eed8af36441397676da. * Revert "build - reference ses directly" This reverts commit 30371a377dcdd781c1bf9abe55e9c8ae34da26b5. * deps - update ses * Revert "fix path for frozen promise" This reverts commit 966e4c60921a25befe8ca8dea58313cc25852f72. Co-authored-by: kumavis <aaron@kumavis.me> 2021-03-26 05:27:25 +01:00			`overrideTaming: 'severe',`
@metamask/eslint config@5.0.0 (#10358) * @metamask/eslint-config@5.0.0 * Update eslintrc and prettierrc * yarn lint:fix 2021-02-04 19:15:23 +01:00			`});`
Fix contentscript injection failure on Firefox 56 (#10034) On Firefox 56 and Waterfox Classic, our `runLockdown.js` script throws an error. This is fine on the HTML pages, as the next script tags still get run without issue (though they don't benefit from the SES lockdown sadly). But in the `contentscript`, an exception thrown here appears to halt the execution of subsequent scripts. To prevent the `contentscript` from crashing completely, lockdown errors are now caught and logged. They are also logged to Sentry on the pages where Sentry is setup. 2020-12-10 18:33:04 +01:00			`} catch (error) {`
			// If the `lockdown` call throws an exception, it interferes with the
			`// contentscript injection on some versions of Firefox. The error is`
			`// caught and logged here so that the contentscript still gets injected.`
Make all named intrinsics non-modifiable (#11953) This PR makes ~all named intrinsics in all of our JavaScript processes non-modifiable. A named intrinsic is any property specified by the ECMAScript specification that exists on `globalThis` when the JavaScript process starts. We say that a property is non-modifiable if it is non-configurable and non-writable. We make exceptions for properties that meet any of the following criteria: 1. Properties that are non-configurable by the time `lockdown-run.js` is executed are not modified, because they can't be. 2. Properties that have accessor properties (`get` or `set`) are made non-configurable, but their writability cannot be modified, and is therefore left unchanged. It's unclear how many of the named intrinsics this applies to, if any, but it's good defensive programming, regardless. 2021-08-30 23:30:48 +02:00			`// This affects Firefox v56 and Waterfox Classic.`
@metamask/eslint config@5.0.0 (#10358) * @metamask/eslint-config@5.0.0 * Update eslintrc and prettierrc * yarn lint:fix 2021-02-04 19:15:23 +01:00			`console.error('Lockdown failed:', error);`
Build - refactor for bundle factoring and swappable runtime (#11080) * wip * build - breakout sentry-install bundle * deps - move new build sys deps to published versions * chore: lint fix * clean - remove unused file * clean - remove unsused package script * lavamoat - update build system policy * build - render html to all platforms * development - improve sourcemap debugger output * deps - update lavapack * lint - fix * deps - update lavapack for bugfix * deps - update lavapack for bugfix * deps - bump lavapack for line ending normalization * sourcemap explorer - disable boundary validation * ci - reset normal ci flow * build - re-enable minification on prod * build - remove noisy log about html dest * build - update terser and remove gulp wrapper for sourcemap fix * Revert "sourcemap explorer - disable boundary validation" This reverts commit 94112209ed880a6ebf4ee2ded411e59db6908162. * build - reenable react-devtools in dev mode * wip * build - breakout sentry-install bundle * deps - move new build sys deps to published versions * chore: lint fix * clean - remove unused file * clean - remove unsused package script * lavamoat - update build system policy * build - render html to all platforms * development - improve sourcemap debugger output * deps - update lavapack * lint - fix * deps - update lavapack for bugfix * deps - update lavapack for bugfix * deps - bump lavapack for line ending normalization * sourcemap explorer - disable boundary validation * ci - reset normal ci flow * build - re-enable minification on prod * build - remove noisy log about html dest * build - update terser and remove gulp wrapper for sourcemap fix * Revert "sourcemap explorer - disable boundary validation" This reverts commit 94112209ed880a6ebf4ee2ded411e59db6908162. * build - reenable react-devtools in dev mode * Updating lockfile * lint fix * build/dev - patch watchifys incompatible binary stats output * ui - add comment about conditional import * build - improve comment * Update development/stream-flat-map.js Co-authored-by: Brad Decker <git@braddecker.dev> * Outputting all bundle file links (metamaskbot) Co-authored-by: ryanml <ryanlanese@gmail.com> Co-authored-by: Brad Decker <git@braddecker.dev> 2021-07-15 19:59:34 +02:00			`if (globalThis.sentry && globalThis.sentry.captureException) {`
Make all named intrinsics non-modifiable (#11953) This PR makes ~all named intrinsics in all of our JavaScript processes non-modifiable. A named intrinsic is any property specified by the ECMAScript specification that exists on `globalThis` when the JavaScript process starts. We say that a property is non-modifiable if it is non-configurable and non-writable. We make exceptions for properties that meet any of the following criteria: 1. Properties that are non-configurable by the time `lockdown-run.js` is executed are not modified, because they can't be. 2. Properties that have accessor properties (`get` or `set`) are made non-configurable, but their writability cannot be modified, and is therefore left unchanged. It's unclear how many of the named intrinsics this applies to, if any, but it's good defensive programming, regardless. 2021-08-30 23:30:48 +02:00			`globalThis.sentry.captureException(`
			new Error(`Lockdown failed: ${error.message}`),
			`);`
			`}`
			`}`