From 365c1e32d262e45138b06f149dec81607359376b Mon Sep 17 00:00:00 2001 From: weizman Date: Fri, 23 Jun 2023 18:25:24 +0300 Subject: [PATCH] Integrate Snow with LavaMoat scuttling protection (#17969) --- app/scripts/use-snow.js | 19 +++- development/build/index.js | 7 +- lavamoat/build-system/policy.json | 100 ++++++++------------- package.json | 6 +- yarn.lock | 141 ++++++++++++++---------------- 5 files changed, 126 insertions(+), 147 deletions(-) diff --git a/app/scripts/use-snow.js b/app/scripts/use-snow.js index 11b01d78d..868db4e36 100644 --- a/app/scripts/use-snow.js +++ b/app/scripts/use-snow.js @@ -1,8 +1,21 @@ +/* +NOTICE: +This Snow + LavaMoat scuttling integration is currently being used +with an experimental API (https://github.com/LavaMoat/LavaMoat/pull/462). +Changing this code must be done cautiously to avoid breaking the app! +*/ + // eslint-disable-next-line import/unambiguous (function () { const log = console.log.bind(console); - const msg = 'SNOW INTERCEPTED NEW WINDOW CREATION IN METAMASK APP: '; - window.top.SNOW((win) => { - log(msg, win, win?.frameElement); + const msg = + 'Snow detected a new realm creation attempt in MetaMask. Performing scuttling on new realm.'; + Object.defineProperty(window.top, 'SCUTTLER', { + value: (realm, scuttle) => { + window.top.SNOW((win) => { + log(msg, win); + scuttle(win); + }, realm); + }, }); })(); diff --git a/development/build/index.js b/development/build/index.js index 33051f5a3..84ee91040 100755 --- a/development/build/index.js +++ b/development/build/index.js @@ -147,8 +147,11 @@ async function defineAndRunBuildTasks() { // build lavamoat runtime file await lavapack.buildRuntime({ - scuttleGlobalThis: applyLavaMoat && shouldScuttle, - scuttleGlobalThisExceptions, + scuttleGlobalThis: { + enabled: applyLavaMoat && shouldScuttle, + scuttlerName: 'SCUTTLER', + exceptions: scuttleGlobalThisExceptions, + }, }); } diff --git a/lavamoat/build-system/policy.json b/lavamoat/build-system/policy.json index 9ee988092..98fd8942c 100644 --- a/lavamoat/build-system/policy.json +++ b/lavamoat/build-system/policy.json @@ -168,9 +168,13 @@ }, "@babel/eslint-parser": { "builtin": { - "path": true + "module": true, + "path": true, + "worker_threads": true }, "globals": { + "__dirname": true, + "process.cwd": true, "process.versions": true }, "packages": { @@ -1045,17 +1049,18 @@ "globals": { "__dirname": true, "__filename.slice": true, + "console.warn": true, "process.cwd": true, "setTimeout": true }, "packages": { "@lavamoat/lavapack>combine-source-map": true, - "@lavamoat/lavapack>lavamoat-core": true, + "@lavamoat/lavapack>convert-source-map": true, "@lavamoat/lavapack>readable-stream": true, "@lavamoat/lavapack>umd": true, "browserify>JSONStream": true, "lavamoat>json-stable-stringify": true, - "nyc>convert-source-map": true, + "lavamoat>lavamoat-core": true, "through2": true } }, @@ -1082,26 +1087,12 @@ "@lavamoat/lavapack>combine-source-map>inline-source-map>source-map": true } }, - "@lavamoat/lavapack>lavamoat-core": { - "builtin": { - "events": true, - "fs.existsSync": true, - "fs.readFileSync": true, - "fs.writeFileSync": true, - "path.extname": true, - "path.join": true - }, + "@lavamoat/lavapack>convert-source-map": { "globals": { - "__dirname": true, - "console.error": true, - "console.warn": true, - "define": true - }, - "packages": { - "lavamoat>json-stable-stringify": true, - "lavamoat>lavamoat-core>merge-deep": true, - "lavamoat>lavamoat-tofu": true, - "nyc>process-on-spawn>fromentries": true + "Buffer": true, + "atob": true, + "btoa": true, + "value": true } }, "@lavamoat/lavapack>readable-stream": { @@ -2858,12 +2849,12 @@ "eslint-plugin-react>estraverse": true, "eslint-plugin-react>jsx-ast-utils": true, "eslint-plugin-react>object.entries": true, + "eslint-plugin-react>object.fromentries": true, "eslint-plugin-react>object.hasown": true, "eslint-plugin-react>object.values": true, "eslint-plugin-react>resolve": true, "eslint-plugin-react>semver": true, "eslint>minimatch": true, - "lavamoat>object.fromentries": true, "prop-types": true, "string.prototype.matchall": true } @@ -2923,6 +2914,13 @@ "string.prototype.matchall>es-abstract": true } }, + "eslint-plugin-react>object.fromentries": { + "packages": { + "globalthis>define-properties": true, + "string.prototype.matchall>call-bind": true, + "string.prototype.matchall>es-abstract": true + } + }, "eslint-plugin-react>object.hasown": { "packages": { "string.prototype.matchall>es-abstract": true @@ -2984,6 +2982,9 @@ "util": true }, "globals": { + "__filename": true, + "process.cwd": true, + "process.emitWarning": true, "process.platform": true }, "packages": { @@ -6141,8 +6142,8 @@ "setTimeout": true }, "packages": { + "@lavamoat/lavapack": true, "duplexify": true, - "lavamoat-browserify>@lavamoat/lavapack": true, "lavamoat-browserify>browser-resolve": true, "lavamoat-browserify>concat-stream": true, "lavamoat-browserify>readable-stream": true, @@ -6152,37 +6153,6 @@ "lavamoat>lavamoat-core": true } }, - "lavamoat-browserify>@lavamoat/lavapack": { - "builtin": { - "assert": true, - "buffer.Buffer.from": true, - "fs.promises.readFile": true, - "fs.promises.writeFile": true, - "fs.readFileSync": true, - "path.join": true, - "path.relative": true - }, - "globals": { - "__dirname": true, - "process.cwd": true, - "setTimeout": true - }, - "packages": { - "@lavamoat/lavapack>combine-source-map": true, - "@lavamoat/lavapack>umd": true, - "browserify>JSONStream": true, - "lavamoat-browserify>@lavamoat/lavapack>through2": true, - "lavamoat-browserify>readable-stream": true, - "lavamoat>json-stable-stringify": true, - "lavamoat>lavamoat-core": true, - "nyc>convert-source-map": true - } - }, - "lavamoat-browserify>@lavamoat/lavapack>through2": { - "packages": { - "lavamoat-browserify>readable-stream": true - } - }, "lavamoat-browserify>browser-resolve": { "builtin": { "fs.readFile": true, @@ -6319,8 +6289,7 @@ "packages": { "lavamoat>json-stable-stringify": true, "lavamoat>lavamoat-core>merge-deep": true, - "lavamoat>lavamoat-tofu": true, - "nyc>process-on-spawn>fromentries": true + "lavamoat>lavamoat-tofu": true } }, "lavamoat>lavamoat-core>merge-deep": { @@ -6396,13 +6365,6 @@ "depcheck>@babel/traverse": true } }, - "lavamoat>object.fromentries": { - "packages": { - "globalthis>define-properties": true, - "string.prototype.matchall>call-bind": true, - "string.prototype.matchall>es-abstract": true - } - }, "lodash": { "globals": { "define": true @@ -8623,6 +8585,12 @@ "jsdom>request>is-typedarray": true } }, + "superstruct": { + "globals": { + "console.warn": true, + "define": true + } + }, "terser": { "globals": { "Buffer": true, @@ -8981,6 +8949,7 @@ }, "globals": { "Error": true, + "__dirname": true, "console": true, "process": true }, @@ -8995,6 +8964,9 @@ } }, "yargs>cliui": { + "globals": { + "process": true + }, "packages": { "eslint>strip-ansi": true, "yargs>cliui>wrap-ansi": true, diff --git a/package.json b/package.json index 021cad8ac..eb17e8b69 100644 --- a/package.json +++ b/package.json @@ -371,7 +371,7 @@ "@babel/register": "^7.5.5", "@ethersproject/bignumber": "^5.7.0", "@lavamoat/allow-scripts": "^2.0.3", - "@lavamoat/lavapack": "^5.0.0", + "@lavamoat/lavapack": "^5.2.0", "@metamask/auto-changelog": "^2.1.0", "@metamask/eslint-config": "^9.0.0", "@metamask/eslint-config-jest": "^9.0.0", @@ -494,8 +494,8 @@ "jsdom": "^11.2.0", "junit-report-merger": "^4.0.0", "koa": "^2.7.0", - "lavamoat": "^6.3.0", - "lavamoat-browserify": "^15.5.0", + "lavamoat": "^7.1.0", + "lavamoat-browserify": "^15.7.0", "lavamoat-viz": "^6.0.9", "lockfile-lint": "^4.9.6", "loose-envify": "^1.4.0", diff --git a/yarn.lock b/yarn.lock index 927c8c3d1..10aeefc01 100644 --- a/yarn.lock +++ b/yarn.lock @@ -80,7 +80,7 @@ __metadata: languageName: node linkType: hard -"@babel/code-frame@npm:^7.0.0, @babel/code-frame@npm:^7.10.4, @babel/code-frame@npm:^7.12.13, @babel/code-frame@npm:^7.16.7, @babel/code-frame@npm:^7.18.6, @babel/code-frame@npm:^7.21.4": +"@babel/code-frame@npm:^7.0.0, @babel/code-frame@npm:^7.12.13, @babel/code-frame@npm:^7.16.7, @babel/code-frame@npm:^7.18.6, @babel/code-frame@npm:^7.21.4": version: 7.21.4 resolution: "@babel/code-frame@npm:7.21.4" dependencies: @@ -445,7 +445,7 @@ __metadata: languageName: node linkType: hard -"@babel/highlight@npm:^7.10.4, @babel/highlight@npm:^7.18.6": +"@babel/highlight@npm:^7.18.6": version: 7.18.6 resolution: "@babel/highlight@npm:7.18.6" dependencies: @@ -3532,35 +3532,19 @@ __metadata: languageName: node linkType: hard -"@lavamoat/lavapack@npm:^3.3.0": - version: 3.3.0 - resolution: "@lavamoat/lavapack@npm:3.3.0" +"@lavamoat/lavapack@npm:^5.2.0": + version: 5.2.0 + resolution: "@lavamoat/lavapack@npm:5.2.0" dependencies: JSONStream: ^1.3.5 combine-source-map: ^0.8.0 - convert-source-map: ^1.7.0 - json-stable-stringify: ^1.0.1 - lavamoat-core: ^12.4.0 + convert-source-map: ^2.0.0 + json-stable-stringify: ^1.0.2 + lavamoat-core: ^14.2.0 readable-stream: ^3.6.0 through2: ^4.0.2 umd: ^3.0.3 - checksum: 77f6588d38d53f0feba1856de409829969dc3592b9b4d1e722fd395a1eabae6a8983648e2929ef9243fd6ead6919683cb87e65433325601bafabcf8b46dc83be - languageName: node - linkType: hard - -"@lavamoat/lavapack@npm:^5.0.0": - version: 5.0.0 - resolution: "@lavamoat/lavapack@npm:5.0.0" - dependencies: - JSONStream: ^1.3.5 - combine-source-map: ^0.8.0 - convert-source-map: ^1.7.0 - json-stable-stringify: ^1.0.1 - lavamoat-core: ^14.0.0 - readable-stream: ^3.6.0 - through2: ^4.0.2 - umd: ^3.0.3 - checksum: 93b60ced99a23a87f83bf354f6996029757ea76d6b92e8b4b874ef50224515feda47dadd62cdda88c53e703111ddf36a8ef8f19c682e85ad4218f709a4081dbd + checksum: c98bcc310de38b4ad2ce2aeafb69ba293a1083f6683a9f120aef2e187501620f5241361da2966fa07bcb57d004037b0ccf556325364f44c1c021c949fb87e45d languageName: node linkType: hard @@ -12858,6 +12842,13 @@ __metadata: languageName: node linkType: hard +"convert-source-map@npm:^1.9.0": + version: 1.9.0 + resolution: "convert-source-map@npm:1.9.0" + checksum: dc55a1f28ddd0e9485ef13565f8f756b342f9a46c4ae18b843fe3c30c675d058d6a4823eff86d472f187b176f0adf51ea7b69ea38be34be4a63cbbf91b0593c8 + languageName: node + linkType: hard + "convert-source-map@npm:^2.0.0": version: 2.0.0 resolution: "convert-source-map@npm:2.0.0" @@ -22988,24 +22979,23 @@ __metadata: languageName: node linkType: hard -"lavamoat-browserify@npm:^15.5.0": - version: 15.5.0 - resolution: "lavamoat-browserify@npm:15.5.0" +"lavamoat-browserify@npm:^15.7.0": + version: 15.7.0 + resolution: "lavamoat-browserify@npm:15.7.0" dependencies: - "@babel/code-frame": ^7.16.7 "@lavamoat/aa": ^3.1.0 - "@lavamoat/lavapack": ^3.3.0 + "@lavamoat/lavapack": ^5.2.0 browser-resolve: ^2.0.0 concat-stream: ^2.0.0 - convert-source-map: ^1.8.0 + convert-source-map: ^1.9.0 duplexify: ^4.1.1 json-stable-stringify: ^1.0.1 - lavamoat-core: ^12.4.0 + lavamoat-core: ^14.2.0 pify: ^4.0.1 readable-stream: ^3.6.0 - source-map: ^0.7.3 + source-map: ^0.7.4 through2: ^3.0.0 - checksum: b9d4ccbe6dd09aa63145f89f99f0b3ac269930a5e419cc836659f8c6a7e26b78d2dd3722e44055e6436d2334b044c348895f512d134ee8b5dc4ee87adc890b6f + checksum: 7832820c688439c699d4b99ef6860ff4cab67003e20fad4194e847873bfe3f2d3a4caea3229e61bd0e9e35ca384e2aa5f39ce1370a43b1bdd9c9bca8c226d080 languageName: node linkType: hard @@ -23022,27 +23012,14 @@ __metadata: languageName: node linkType: hard -"lavamoat-core@npm:^12.3.0, lavamoat-core@npm:^12.4.0": - version: 12.4.0 - resolution: "lavamoat-core@npm:12.4.0" +"lavamoat-core@npm:^14.2.0": + version: 14.2.0 + resolution: "lavamoat-core@npm:14.2.0" dependencies: - fromentries: ^1.2.0 - json-stable-stringify: ^1.0.1 + json-stable-stringify: ^1.0.2 lavamoat-tofu: ^6.0.2 - merge-deep: ^3.0.2 - checksum: 432a8968035370feb51e50f35306e7f85015e3b56440dbd41b6d3eec7f4bc82c3d1f16c6a627549df2665499c49bcb6e55fa697bccc6839bac1de12804019c1d - languageName: node - linkType: hard - -"lavamoat-core@npm:^14.0.0": - version: 14.0.0 - resolution: "lavamoat-core@npm:14.0.0" - dependencies: - fromentries: ^1.2.0 - json-stable-stringify: ^1.0.1 - lavamoat-tofu: ^6.0.2 - merge-deep: ^3.0.2 - checksum: 16c2402aceba339ab25b830d476e95078edc1c978ef2623497ecb07f6b5eb8241541f67755a06cf3562680c1834b69d7e86ca421848b670378ad4fb0d62923ad + merge-deep: ^3.0.3 + checksum: 2f254c85a466561393a9ad0b8bcd8ff93b7b195d2f820f89be452348559f3fa689260887dcf4af3d605bc7ddb8fef2637ca7d5bfe1b7f565050aca172b9733d6 languageName: node linkType: hard @@ -23072,26 +23049,25 @@ __metadata: languageName: node linkType: hard -"lavamoat@npm:^6.3.0": - version: 6.4.0 - resolution: "lavamoat@npm:6.4.0" +"lavamoat@npm:^7.1.0": + version: 7.1.0 + resolution: "lavamoat@npm:7.1.0" dependencies: - "@babel/code-frame": ^7.10.4 - "@babel/highlight": ^7.10.4 + "@babel/code-frame": ^7.21.4 + "@babel/highlight": ^7.18.6 "@lavamoat/aa": ^3.1.0 bindings: ^1.5.0 htmlescape: ^1.1.1 - json-stable-stringify: ^1.0.1 - lavamoat-core: ^12.3.0 + json-stable-stringify: ^1.0.2 + lavamoat-core: ^14.2.0 lavamoat-tofu: ^6.0.2 - node-gyp-build: ^4.2.3 - object.fromentries: ^2.0.2 - resolve: ^1.17.0 - yargs: ^16.0.0 + node-gyp-build: ^4.6.0 + resolve: ^1.22.3 + yargs: ^17.7.2 bin: lavamoat: src/cli.js lavamoat-run-command: src/run-command.js - checksum: 5a058b0b62fa4d6baa477775dc03433c0064e7ab0f14f4a540aa033154c3484cd9b59ec66e2968e387087c24531b09cbd6a70a3a11f4b52e3b4519cd3672c54c + checksum: 57414b6d434eaf07ad2875ebb5a79453da7d9c377ed19e604a73f66772bf61a40abfb747bc7e0bc5a4808b0debf3a228dc9069eb87dc772b4d615b11d4e91d34 languageName: node linkType: hard @@ -24309,7 +24285,7 @@ __metadata: languageName: node linkType: hard -"merge-deep@npm:^3.0.2": +"merge-deep@npm:^3.0.2, merge-deep@npm:^3.0.3": version: 3.0.3 resolution: "merge-deep@npm:3.0.3" dependencies: @@ -24411,7 +24387,7 @@ __metadata: "@keystonehq/bc-ur-registry-eth": ^0.19.1 "@keystonehq/metamask-airgapped-keyring": ^0.13.1 "@lavamoat/allow-scripts": ^2.0.3 - "@lavamoat/lavapack": ^5.0.0 + "@lavamoat/lavapack": ^5.2.0 "@lavamoat/snow": ^1.5.0 "@material-ui/core": ^4.11.0 "@metamask-institutional/custody-controller": 0.2.6 @@ -24638,8 +24614,8 @@ __metadata: junit-report-merger: ^4.0.0 koa: ^2.7.0 labeled-stream-splicer: ^2.0.2 - lavamoat: ^6.3.0 - lavamoat-browserify: ^15.5.0 + lavamoat: ^7.1.0 + lavamoat-browserify: ^15.7.0 lavamoat-viz: ^6.0.9 localforage: ^1.9.0 lockfile-lint: ^4.9.6 @@ -26111,14 +26087,14 @@ __metadata: languageName: node linkType: hard -"node-gyp-build@npm:^4.2.0, node-gyp-build@npm:^4.2.2, node-gyp-build@npm:^4.2.3, node-gyp-build@npm:^4.3.0": - version: 4.5.0 - resolution: "node-gyp-build@npm:4.5.0" +"node-gyp-build@npm:^4.2.0, node-gyp-build@npm:^4.2.2, node-gyp-build@npm:^4.3.0, node-gyp-build@npm:^4.6.0": + version: 4.6.0 + resolution: "node-gyp-build@npm:4.6.0" bin: node-gyp-build: bin.js node-gyp-build-optional: optional.js node-gyp-build-test: build-test.js - checksum: d888bae0fb88335f69af1b57a2294a931c5042f36e413d8d364c992c9ebfa0b96ffe773179a5a2c8f04b73856e8634e09cce108dbb9804396d3cc8c5455ff2db + checksum: 25d78c5ef1f8c24291f4a370c47ba52fcea14f39272041a90a7894cd50d766f7c8cb8fb06c0f42bf6f69b204b49d9be3c8fc344aac09714d5bdb95965499eb15 languageName: node linkType: hard @@ -26631,7 +26607,7 @@ __metadata: languageName: node linkType: hard -"object.fromentries@npm:^2.0.2, object.fromentries@npm:^2.0.5": +"object.fromentries@npm:^2.0.5": version: 2.0.6 resolution: "object.fromentries@npm:2.0.6" dependencies: @@ -35874,7 +35850,7 @@ __metadata: languageName: node linkType: hard -"yargs@npm:17.7.1, yargs@npm:^17.0.1, yargs@npm:^17.3.1": +"yargs@npm:17.7.1": version: 17.7.1 resolution: "yargs@npm:17.7.1" dependencies: @@ -35908,6 +35884,21 @@ __metadata: languageName: node linkType: hard +"yargs@npm:^17.0.1, yargs@npm:^17.3.1, yargs@npm:^17.7.2": + version: 17.7.2 + resolution: "yargs@npm:17.7.2" + dependencies: + cliui: ^8.0.1 + escalade: ^3.1.1 + get-caller-file: ^2.0.5 + require-directory: ^2.1.1 + string-width: ^4.2.3 + y18n: ^5.0.5 + yargs-parser: ^21.1.1 + checksum: 73b572e863aa4a8cbef323dd911d79d193b772defd5a51aab0aca2d446655216f5002c42c5306033968193bdbf892a7a4c110b0d77954a7fdf563e653967b56a + languageName: node + linkType: hard + "yargs@npm:^4.7.1": version: 4.8.1 resolution: "yargs@npm:4.8.1"