security - update SES lockdown (#10663)

* update ses * build - reference ses directly * deps - unify regenerator-runtime versions on 0.13.7 * patches - apply regenerator-runtime ses compat patch\nhttps://github.com/facebook/regenerator/pull/411 * patches - patch regenerator-runtime for latest ses fix * reduc patch, new lockdown severe override taming * updated redux patch * update redux patch for production * ignore lockdown in lint * deps - bump patch-package just in case * trailing comma * remove ses as dep * fix path for frozen promise * remove js extension in lockdown require * Revert "ignore lockdown in lint" This reverts commit 8cefdc94dd25d7781bb09eed8af36441397676da. * Revert "build - reference ses directly" This reverts commit 30371a377dcdd781c1bf9abe55e9c8ae34da26b5. * deps - update ses * Revert "fix path for frozen promise" This reverts commit 966e4c60921a25befe8ca8dea58313cc25852f72. Co-authored-by: kumavis <aaron@kumavis.me>
2024-12-23 09:52:26 +01:00 · 2021-03-26 12:27:25 +08:00 · 2021-03-26 12:27:25 +08:00 · 8fc2c3272a
commit 8fc2c3272a
parent 715f699ed9
5 changed files with 190 additions and 28 deletions
--- a/app/scripts/runLockdown.js
+++ b/app/scripts/runLockdown.js
@ -6,6 +6,7 @@ try {
    errorTaming: 'unsafe',
    mathTaming: 'unsafe',
    dateTaming: 'unsafe',
+    overrideTaming: 'severe',
  });
 } catch (error) {
  // If the `lockdown` call throws an exception, it interferes with the
--- a/package.json
+++ b/package.json
@ -59,6 +59,7 @@
    "lavamoat:debug": "lavamoat ./development/build/index.js --writeAutoPolicyDebug"
  },
  "resolutions": {
+    "**/regenerator-runtime": "^0.13.7",
    "**/configstore/dot-prop": "^5.1.1",
    "**/ethers/elliptic": "^6.5.4",
    "**/knex/minimist": "^1.2.5",
@ -176,6 +177,7 @@
    "reselect": "^3.0.1",
    "rpc-cap": "^3.2.1",
    "safe-event-emitter": "^1.0.1",
+    "ses": "^0.12.4",
    "single-call-balance-checker-abi": "^1.0.0",
    "swappable-obj-proxy": "^1.1.0",
    "textarea-caret": "^3.0.1",
@ -259,7 +261,7 @@
    "nock": "^9.0.14",
    "node-fetch": "^2.6.1",
    "nyc": "^15.0.0",
-    "patch-package": "^6.2.2",
+    "patch-package": "^6.4.7",
    "polyfill-crypto.getrandomvalues": "^1.0.0",
    "prettier": "^2.1.1",
    "prettier-plugin-sort-json": "^0.0.1",
@ -275,7 +277,6 @@
    "sass-loader": "^10.1.1",
    "selenium-webdriver": "4.0.0-alpha.7",
    "serve-handler": "^6.1.2",
-    "ses": "0.11.0",
    "sinon": "^9.0.0",
    "source-map": "^0.7.2",
    "source-map-explorer": "^2.4.2",
--- a/patches/@reduxjs+toolkit+1.5.0.patch
+++ b/patches/@reduxjs+toolkit+1.5.0.patch
--- a/patches/regenerator-runtime+0.13.7.patch
+++ b/patches/regenerator-runtime+0.13.7.patch
@ -0,0 +1,67 @@
+diff --git a/node_modules/regenerator-runtime/runtime.js b/node_modules/regenerator-runtime/runtime.js
+index 547b8c6..c53a471 100644
+--- a/node_modules/regenerator-runtime/runtime.js
+++ b/node_modules/regenerator-runtime/runtime.js
+@@ -5,7 +5,7 @@
+  * LICENSE file in the root directory of this source tree.
+  */
+ 
+-var runtime = (function (exports) {
+ var runtime = (function (exports) {
+   "use strict";
+ 
+   var Op = Object.prototype;
+@@ -86,9 +86,9 @@ var runtime = (function (exports) {
+   // This is a polyfill for %IteratorPrototype% for environments that
+   // don't natively support it.
+   var IteratorPrototype = {};
+-  IteratorPrototype[iteratorSymbol] = function () {
+  define(IteratorPrototype, iteratorSymbol, function () {
+     return this;
+-  };
+  });
+ 
+   var getProto = Object.getPrototypeOf;
+   var NativeIteratorPrototype = getProto && getProto(getProto(values([])));
+@@ -102,8 +102,9 @@ var runtime = (function (exports) {
+ 
+   var Gp = GeneratorFunctionPrototype.prototype =
+     Generator.prototype = Object.create(IteratorPrototype);
+-  GeneratorFunction.prototype = Gp.constructor = GeneratorFunctionPrototype;
+-  GeneratorFunctionPrototype.constructor = GeneratorFunction;
+  GeneratorFunction.prototype = GeneratorFunctionPrototype;
+  define(Gp, "constructor", GeneratorFunctionPrototype);
+  define(GeneratorFunctionPrototype, "constructor", GeneratorFunction);
+   GeneratorFunction.displayName = define(
+     GeneratorFunctionPrototype,
+     toStringTagSymbol,
+@@ -217,9 +218,9 @@ var runtime = (function (exports) {
+   }
+ 
+   defineIteratorMethods(AsyncIterator.prototype);
+-  AsyncIterator.prototype[asyncIteratorSymbol] = function () {
+  define(AsyncIterator.prototype, asyncIteratorSymbol, function () {
+     return this;
+-  };
+  });
+   exports.AsyncIterator = AsyncIterator;
+ 
+   // Note that simple async functions are implemented on top of
+@@ -412,13 +413,13 @@ var runtime = (function (exports) {
+   // iterator prototype chain incorrectly implement this, causing the Generator
+   // object to not be returned from this call. This ensures that doesn't happen.
+   // See https://github.com/facebook/regenerator/issues/274 for more details.
+-  Gp[iteratorSymbol] = function() {
+  define(Gp, iteratorSymbol, function() {
+     return this;
+-  };
+  });
+ 
+-  Gp.toString = function() {
+  define(Gp, "toString", function() {
+     return "[object Generator]";
+-  };
+  });
+ 
+   function pushTryEntry(locs) {
+     var entry = { tryLoc: locs[0] };
--- a/yarn.lock
+++ b/yarn.lock
@ -52,10 +52,10 @@
  resolved "https://registry.yarnpkg.com/@agoric/babel-standalone/-/babel-standalone-7.9.5.tgz#1ca0c17844924199d31e49d6b67e8b2a629b8599"
  integrity sha512-1Aa23oPuRi4kywUyZODo8zey9Gq2NpD2xUnNvgJLoT8orMQRlVOtvbG3JeHq5sjJERlF/q6csg4/P8t8/5IABA==

-"@agoric/make-hardener@^0.1.0":
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/@agoric/make-hardener/-/make-hardener-0.1.1.tgz#9b887da47aeec6637d9db4f0a92a4e740b8262bb"
-  integrity sha512-3emNc+yWJoFK5JMLoEFPs6rCzkntWQKxpR4gt3jaZYLKoUG4LrTmID3XNe8y40B6SJ3k/wLPodKa0ToQGlhrwQ==
+"@agoric/make-hardener@^0.1.2":
+  version "0.1.3"
+  resolved "https://registry.yarnpkg.com/@agoric/make-hardener/-/make-hardener-0.1.3.tgz#807b0072bef95d935c3370d406d9dfeb719f69ee"
+  integrity sha512-rc9M2ErE/Zu822OLCnAltr957ZVTsBvVZ7KA2unqDpjo3q7PqZF2hWFB1xXD2Qkfwt5exQ3BjFbkj+NUaTg4gA==

 "@agoric/transform-module@^0.4.1":
  version "0.4.1"
@ -11026,6 +11026,13 @@ find-yarn-workspace-root@^1.2.1:
    fs-extra "^4.0.3"
    micromatch "^3.1.4"

+find-yarn-workspace-root@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/find-yarn-workspace-root/-/find-yarn-workspace-root-2.0.0.tgz#f47fb8d239c900eb78179aa81b66673eac88f7bd"
+  integrity sha512-1IMnbjt4KzsQfnhnzNd8wUEgXZ44IzZaZmnLYx7D5FZlaHt2gW20Cri8Q+E/t5tIj4+epTBub+2Zxu/vNILzqQ==
+  dependencies:
+    micromatch "^4.0.2"
+
 findup-sync@^2.0.0:
  version "2.0.0"
  resolved "https://registry.yarnpkg.com/findup-sync/-/findup-sync-2.0.0.tgz#9326b1488c22d1a6088650a86901b2d9a90a2cbc"
@ -18185,6 +18192,14 @@ open@^7.0.2, open@^7.0.3:
    is-docker "^2.0.0"
    is-wsl "^2.1.1"

+open@^7.4.2:
+  version "7.4.2"
+  resolved "https://registry.yarnpkg.com/open/-/open-7.4.2.tgz#b8147e26dcf3e426316c730089fd71edd29c2321"
+  integrity sha512-MVHddDVweXZF3awtlAS+6pgKLlm/JgxZ90+/NBurBoQctVOOB/zDdVjcyPzQ+0laDGbsWgrRkflI65sQeOgT9Q==
+  dependencies:
+    is-docker "^2.0.0"
+    is-wsl "^2.1.1"
+
 opencollective-postinstall@^2.0.0:
  version "2.0.2"
  resolved "https://registry.yarnpkg.com/opencollective-postinstall/-/opencollective-postinstall-2.0.2.tgz#5657f1bede69b6e33a45939b061eb53d3c6c3a89"
@ -18876,7 +18891,7 @@ pascalcase@^0.1.1:
  resolved "https://registry.yarnpkg.com/pascalcase/-/pascalcase-0.1.1.tgz#b363e55e8006ca6fe21784d2db22bd15d7917f14"
  integrity sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ=

-patch-package@6.2.2, patch-package@^6.2.2:
+patch-package@6.2.2:
  version "6.2.2"
  resolved "https://registry.yarnpkg.com/patch-package/-/patch-package-6.2.2.tgz#71d170d650c65c26556f0d0fbbb48d92b6cc5f39"
  integrity sha512-YqScVYkVcClUY0v8fF0kWOjDYopzIM8e3bj/RU1DPeEF14+dCGm6UeOYm4jvCyxqIEQ5/eJzmbWfDWnUleFNMg==
@ -18894,6 +18909,25 @@ patch-package@6.2.2, patch-package@^6.2.2:
    slash "^2.0.0"
    tmp "^0.0.33"

+patch-package@^6.4.7:
+  version "6.4.7"
+  resolved "https://registry.yarnpkg.com/patch-package/-/patch-package-6.4.7.tgz#2282d53c397909a0d9ef92dae3fdeb558382b148"
+  integrity sha512-S0vh/ZEafZ17hbhgqdnpunKDfzHQibQizx9g8yEf5dcVk3KOflOfdufRXQX8CSEkyOQwuM/bNz1GwKvFj54kaQ==
+  dependencies:
+    "@yarnpkg/lockfile" "^1.1.0"
+    chalk "^2.4.2"
+    cross-spawn "^6.0.5"
+    find-yarn-workspace-root "^2.0.0"
+    fs-extra "^7.0.1"
+    is-ci "^2.0.0"
+    klaw-sync "^6.0.0"
+    minimist "^1.2.0"
+    open "^7.4.2"
+    rimraf "^2.6.3"
+    semver "^5.6.0"
+    slash "^2.0.0"
+    tmp "^0.0.33"
+
 path-browserify@0.0.1, path-browserify@~0.0.0:
  version "0.0.1"
  resolved "https://registry.yarnpkg.com/path-browserify/-/path-browserify-0.0.1.tgz#e6c4ddd7ed3aa27c68a20cc4e50e1a4ee83bbc4a"
@ -20999,22 +21033,7 @@ regenerate@^1.2.1, regenerate@^1.4.0:
  resolved "https://registry.yarnpkg.com/regenerate/-/regenerate-1.4.0.tgz#4a856ec4b56e4077c557589cae85e7a4c8869a11"
  integrity sha512-1G6jJVDWrt0rK99kBjvEtziZNCICAuvIPkSiUFIQxVP06RCVpq3dmDo2oi6ABpYaDYaTRr67BEhL8r1wgEZZKg==

-regenerator-runtime@0.13.3:
-  version "0.13.3"
-  resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.13.3.tgz#7cf6a77d8f5c6f60eb73c5fc1955b2ceb01e6bf5"
-  integrity sha512-naKIZz2GQ8JWh///G7L3X6LaQUAMp2lvb1rvwwsURe/VXwD6VMfr+/1NuNw3ag8v2kY1aQ/go5SNn79O9JU7yw==
-
-regenerator-runtime@^0.11.0:
-  version "0.11.1"
-  resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz#be05ad7f9bf7d22e056f9726cee5017fbf19e2e9"
-  integrity sha512-MguG95oij0fC3QV3URf4V2SDYGJhJnJGqvIIgdECeODCT98wSWDAJ94SSuVpYQUoTcGUIL6L4yNB7j1DFFHSBg==
-
-regenerator-runtime@^0.12.0:
-  version "0.12.1"
-  resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.12.1.tgz#fa1a71544764c036f8c49b13a08b2594c9f8a0de"
-  integrity sha512-odxIc1/vDlo4iZcfXqRYFj0vpXFNoGdKMAUieAlFYO6m/nl5e9KR/beGf41z4a1FI+aQgtjhuaSlDxQ0hmkrHg==
-
-regenerator-runtime@^0.13.4, regenerator-runtime@^0.13.7:
+regenerator-runtime@0.13.3, regenerator-runtime@^0.11.0, regenerator-runtime@^0.12.0, regenerator-runtime@^0.13.4, regenerator-runtime@^0.13.7:
  version "0.13.7"
  resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.13.7.tgz#cac2dacc8a1ea675feaabaeb8ae833898ae46f55"
  integrity sha512-a54FxoJDIr27pgf7IgeQGxmqUNYrcV338lf/6gH456HZ/PhX+5BcwHXG9ajESmwe6WRO0tAzRUrRmNONWgkrew==
@ -22137,13 +22156,13 @@ servify@^0.1.12:
    request "^2.79.0"
    xhr "^2.3.3"

-ses@0.11.0:
-  version "0.11.0"
-  resolved "https://registry.yarnpkg.com/ses/-/ses-0.11.0.tgz#1e470112ed320d169f0b850525858129c0be0881"
-  integrity sha512-3HH+23C4bijk9VegfiP+cBMqkGim/TMsj/DK5nh/pJFiNrCMfi5euvVluIV66ry202+uckg7nXKrgrEcBwU8SA==
+ses@^0.12.4:
+  version "0.12.4"
+  resolved "https://registry.yarnpkg.com/ses/-/ses-0.12.4.tgz#f466f7199292b5c4454949c7d497f5569ade5805"
+  integrity sha512-qbtkhuuAXNXb390yiaNUdNvDg/QmX7W2cO+srIUJllINMYADc/8m0vt7DNBmq+rqOBRrjVRPPeyQq8ZTLK3Rmw==
  dependencies:
    "@agoric/babel-standalone" "^7.9.5"
-    "@agoric/make-hardener" "^0.1.0"
+    "@agoric/make-hardener" "^0.1.2"
    "@agoric/transform-module" "^0.4.1"

 set-blocking@^2.0.0, set-blocking@~2.0.0: