1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-11-26 12:29:06 +01:00
Commit Graph

35 Commits

Author SHA1 Message Date
weizman
6d551f10fe
Update LavaMoat (core/lavapack) (#17061) 2023-01-18 14:35:37 +02:00
HowardBraham
b1fd7f7796
Fixes 'yarn start' on Windows - LavaPack is not defined (#13318) (#16550)
Co-authored-by: legobeat <109787230+legobeat@users.noreply.github.com>
2022-11-30 09:19:45 -06:00
weizman
42b8971571
Integrating snow into metamask (#15580) 2022-11-24 02:36:19 +02:00
Mark Stacey
b68aee1bef
Migrate the build script to yargs (#14836)
The build script now uses `yargs` rather than `minimist`. The CLI is
now better documented, and we have additional validation for each
option.

A patch for `yargs` was required because it would blow up on the line
`Error.captureStackTrace`. For some reason when running under LavaMoat,
that property did not exist.

Closes #12766
2022-06-21 17:37:05 -02:30
Jyoti Puri
843beb6d20
MV3: fix injection of applyLavamoat variable in service worker (#14920) 2022-06-18 12:40:30 +05:30
Mark Stacey
7199d9c567 Use externally hosted phishing warning page
An externally hosted phishing warning page is now used rather than the
built-in phishing warning page.The phishing page warning URL is set via
configuration file or environment variable. The default URL is either
the expected production URL or `http://localhost:9999/` for e2e testing
environments.

The new external phishing page includes a design change when it is
loaded within an iframe. In that case it now shows a condensed message,
and prompts the user to open the full warning page in a new tab to see
more details or bypass the warning. This is to prevent a clickjacking
attack from safelisting a site without user consent.

The new external phishing page also includes a simple caching service
worker to ensure it continues to work offline (or if our hosting goes
offline), as long as the user has successfully loaded the page at least
once. We also load the page temporarily during the extension startup
process to trigger the service worker installation.

The old phishing page and all related lines have been removed. The
property `web_accessible_resources` has also been removed from the
manifest. The only entry apart from the phishing page was `inpage.js`,
and we don't need that to be web accessible anymore because we inject
the script inline into each page rather than loading the file directly.

New e2e tests have been added to cover more phishing warning page
functionality, including the "safelist" action and the "iframe" case.
2022-05-16 14:40:50 -02:30
Mark Stacey
4139aa26a9 Derive version suffix from build type and version (#13895)
The version of a build is now derived from both the `version` field in
`package.json` and the requested build type and version. The build type
and version are added onto the manifest version as a suffix, according
to the SemVer prerelease format.

We already have support in the extension for versions of this format,
but to apply a Flask or Beta version required manual updates to
`package.json`. Now it can be done just with build arguments.

A `get-version` module was created to make it easier to generate the
version in the various places we do that during the build. It was
created in the `development/lib` directory because it will be used by
other non-build development scripts in a future PR.

The `BuildType` constant was extracted to its own module as well, and
moved to the `development/lib` directory. This was to make it clear
that it's used by various different development scripts, not just the
build.
2022-03-22 20:41:01 -07:00
Mark Stacey
00d2f90c77 Add platform-specific build type manifest modifications (#12638)
The build system now supports platform-specific modifications to the
manifest for each build type. The need to customize the `id` on Firefox
motivated this change.

To support this, a new directory was made in each build type directory
for manifest changes. The images currently in this directory were moved
into an `images` subdirectory.

This new `manifest` directory can include each manifest file currently
in `app/manifest`. The `_base.json` file is assumed to exist, but the
platform manifest modifications are optional.
2021-11-11 11:50:03 -07:00
Mark Stacey
90e55a445e
Add static files for the Flask build (#12518)
Static files have been added for the Flask build. This includes logos
of each size and variety that we use, and it includes the 3D model JSON
file.

Closes #12427
2021-10-28 23:05:58 -02:30
Mark Stacey
345ed9f6f2
Add build type to Sentry environment (#12441)
The build type (i.e. the distribution) is now included in the Sentry
environment during setup, for all builds except the "main" build. This
will allow us to track Flask and beta errors separately from other
errors.

A constant was created for the build types. The equivalent constant in
our build scripts was updated to match it more closely, for
consistency. We can't use the same constant in both places because our
shared constants are in modules that use ES6 exports, and our build
script does not yet support ES6 exports.

The singular `BuildType` was used rather than `BuildTypes` to match our
naming conventions elsewhere for enums. We name them like classes or
types, rather than like a collection.

Relates to #11896
2021-10-25 14:27:30 -02:30
David Walsh
77f8ec4d3a
Fix 12265 - Update onboarding welcome screen (#12275) 2021-10-13 09:22:51 -05:00
kumavis
cb174ff8e6
Lavamoat build system integration for WebApp (#12242)
* lavamoat - add lavamoat to webapp background

* test:e2e - add delay to resolve failure

* test:e2e - add delay to resolve failure

* build - add a switch for applying lavamoat, currently off for all

* test/e2e - remove delays added for lavamoat

* Revert "test/e2e - remove delays added for lavamoat"

This reverts commit 79c3479f15c072ed362ba1d4f1af41ea11a17d63.
2021-10-05 12:06:31 -10:00
kumavis
f9ea9e4b43
lockdown - breakout making globalThis properties non-writable (#12258)
* lockdown - breakout making globalThis properties non-writable into lockdown-more.js

* Update app/scripts/lockdown-more.js

Co-authored-by: David Walsh <davidwalsh83@gmail.com>

* Update app/scripts/lockdown-more.js

Co-authored-by: Erik Marks <25517051+rekmarks@users.noreply.github.com>

Co-authored-by: David Walsh <davidwalsh83@gmail.com>
Co-authored-by: Erik Marks <25517051+rekmarks@users.noreply.github.com>
2021-10-01 08:53:12 -10:00
Mark Stacey
4c38d12c5f
Fix assets for beta dev build (#12233)
The MetaMask logo used for beta development builds was wrong. The lock
screen (and any other place using the `@metamask/logo` logo) showed the
correct logo, but all of our static assets used the "regular" logo.

Now the beta logo should be used everywhere for beta development
builds.
2021-09-28 19:15:00 -02:30
Mark Stacey
3f577700c6
Replace isBeta with buildType (#12231)
This is a refactor to replace the `isBeta` boolean with `buildType`
throughout the build system. This will allow us to modify the behaviour
of each step of the build process for Flask as well.

This should result in no functional changes.
2021-09-28 13:43:26 -02:30
David Walsh
7b827ca5e7
Create MetaMask Beta build (#10985) 2021-09-08 15:08:23 -05:00
ryanml
4b4303c108
Using a normal bundle instead of a factored bundle for phishing-detect (build sys) (#11972) 2021-08-30 17:58:50 -10:00
Erik Marks
290fcbf89e
Allow excluding lockdown at build time (#11937)
This adds an `--omit-lockdown` flag to our build script, which will cause SES `lockdown` to be omitted from the resulting bundle. Useful for development when we don't want the environment to be locked down.

Thanks to @kumavis for the suggestion.
2021-08-30 16:49:39 -07:00
Erik Marks
1175b4bfa7
Make all named intrinsics non-modifiable (#11953)
This PR makes ~all named intrinsics in all of our JavaScript processes non-modifiable. A named intrinsic is any property specified by the ECMAScript specification that exists on `globalThis` when the JavaScript process starts. We say that a property is non-modifiable if it is non-configurable and non-writable. We make exceptions for properties that meet any of the following criteria:

1. Properties that are non-configurable by the time `lockdown-run.js` is executed are not modified, because they can't be.
2. Properties that have accessor properties (`get` or `set`) are made non-configurable, but their writability cannot be modified, and is therefore left unchanged. It's unclear how many of the named intrinsics this applies to, if any, but it's good defensive programming, regardless.
2021-08-30 14:30:48 -07:00
kumavis
9f4820ee98
Build - refactor for bundle factoring and swappable runtime (#11080)
* wip

* build - breakout sentry-install bundle

* deps - move new build sys deps to published versions

* chore: lint fix

* clean - remove unused file

* clean - remove unsused package script

* lavamoat - update build system policy

* build - render html to all platforms

* development - improve sourcemap debugger output

* deps - update lavapack

* lint - fix

* deps - update lavapack for bugfix

* deps - update lavapack for bugfix

* deps - bump lavapack for line ending normalization

* sourcemap explorer - disable boundary validation

* ci - reset normal ci flow

* build - re-enable minification on prod

* build - remove noisy log about html dest

* build - update terser and remove gulp wrapper for sourcemap fix

* Revert "sourcemap explorer - disable boundary validation"

This reverts commit 94112209ed880a6ebf4ee2ded411e59db6908162.

* build - reenable react-devtools in dev mode

* wip

* build - breakout sentry-install bundle

* deps - move new build sys deps to published versions

* chore: lint fix

* clean - remove unused file

* clean - remove unsused package script

* lavamoat - update build system policy

* build - render html to all platforms

* development - improve sourcemap debugger output

* deps - update lavapack

* lint - fix

* deps - update lavapack for bugfix

* deps - update lavapack for bugfix

* deps - bump lavapack for line ending normalization

* sourcemap explorer - disable boundary validation

* ci - reset normal ci flow

* build - re-enable minification on prod

* build - remove noisy log about html dest

* build - update terser and remove gulp wrapper for sourcemap fix

* Revert "sourcemap explorer - disable boundary validation"

This reverts commit 94112209ed880a6ebf4ee2ded411e59db6908162.

* build - reenable react-devtools in dev mode

* Updating lockfile

* lint fix

* build/dev - patch watchifys incompatible binary stats output

* ui - add comment about conditional import

* build - improve comment

* Update development/stream-flat-map.js

Co-authored-by: Brad Decker <git@braddecker.dev>

* Outputting all bundle file links (metamaskbot)

Co-authored-by: ryanml <ryanlanese@gmail.com>
Co-authored-by: Brad Decker <git@braddecker.dev>
2021-07-15 10:59:34 -07:00
Dan J Miller
be244f4908
Fix chromereload while on development (#11359) 2021-06-22 15:02:54 -02:30
Brad Decker
09d81ac5f2
remove the ui/app and ui/lib folders (#10911) 2021-04-28 14:53:59 -05:00
kumavis
0040b66e5c
build - fix use of empty file to replace unused js files (#10780) 2021-03-31 16:13:37 +08:00
kumavis
952adbce44
Build - refactor background process to use html (#10769)
* build - declare background as html

* build - fill in empty file when a missing file is expected

* lint - fix

* Update development/build/manifest.js

Co-authored-by: Mark Stacey <markjstacey@gmail.com>

* Update development/build/manifest.js

Co-authored-by: Mark Stacey <markjstacey@gmail.com>

Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2021-03-31 11:12:28 +08:00
Erik Marks
76a2a9bb8b
@metamask/eslint config@5.0.0 (#10358)
* @metamask/eslint-config@5.0.0
* Update eslintrc and prettierrc
* yarn lint:fix
2021-02-04 10:15:23 -08:00
Mark Stacey
f386e4ce4b
Rename lockdown.cjs to lockdown.js (#10026)
When you load an extension `.zip` file in Firefox, it fails to load
scripts with the `.cjs` file extension. However, it works if you load
the extension via the `manifest.json` file instead.

After renaming the `lockdown.cjs` file to `lockdown.js`, it works in
Firefox in all cases, regardless whether it's loaded by manifest or by
`.zip`.
2020-12-09 12:04:11 -03:30
Mark Stacey
d13aabde23
Fix SES lockdown on older browsers (#10014)
On older browsers that don't support `globalThis`[1], the SES lockdown
throws an error. The `globalthis` shim has been added to all pages, to
the background process, and to the `contentscript`. This should prevent
the error on older browsers.

[1]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/globalThis#Browser_compatibility
2020-12-08 15:08:31 -03:30
Erik Marks
9d4b8a4903
@metamask/contract-metadata (#9968) 2020-12-01 14:55:01 -08:00
Etienne Dusseault
9f6fa64d67
Add SES lockdown to extension webapp (#9729)
* Freezeglobals: remove Promise freezing, add lockdown

* background & UI: temp disable sentry

* add loose-envify, dedupe symbol-observable

* use loose envify

* add symbol-observable patch

* run freezeGlobals after sentry init

* use require instead of import

* add lockdown to contentscript

* add error code in message

* try increasing node env heap size to 2048

* change back circe CI option

* make freezeGlobals an exported function

* make freezeGlobals an exported function

* use freezeIntrinsics

* pass down env to child process

* fix unknown module

* fix tests

* change back to 2048

* fix import error

* attempt to fix memory error

* fix lint

* fix lint

* fix mem gain

* use lockdown in phishing detect

* fix lint

* move sentry init into freezeIntrinsics to run lockdown before other imports

* lint fix

* custom lockdown modules per context

* lint fix

* fix global test

* remove run in child process

* remove lavamoat-core, use ses, require lockdown directly

* revert childprocess

* patch package postinstall

* revert back child process

* add postinstall to ci

* revert node max space size to 1024

* put back loose-envify

* Disable sentry to see if e2e tetss pass

* use runLockdown, add as script in manifest

* remove global and require from runlockdown

* add more memory to tests

* upgrade resource class for prep-build & prep-build-test

* fix lint

* lint fix

* upgrade remote-redux-devtools

* skillfully re-add sentry

* lintfix

* fix lint

* put back beep

* remove envify, add loose-envify and patch-package in dev deps

* Replace patch with Yarn resolution (#9923)

Instead of patching `symbol-observable`, this ensures that all
versions of `symbol-observable` are resolved to the given range, even
if it contradicts the requested range.

Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2020-11-24 11:26:43 +08:00
Brad Decker
2ebf8756a4
[RFC] add prettier to eslint (#8595) 2020-11-02 17:41:28 -06:00
Whymarrh Whitby
b6ccd22d6c
Update ESLint shared config to v3 (#9274)
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2020-08-19 13:57:05 -02:30
Whymarrh Whitby
c1e3c229bc
Fix import/order issues (#9239)
See [`import/order`](https://eslint.org/docs/rules/import/order) for more information.

This change enables `import/order` and fixes the issues raised by the rule.
2020-08-18 16:48:25 -02:30
Mark Stacey
f5d4ab1cc1
Include relative time polyfill locale data (#8896)
We were including the polyfill for the `Intl.RelativeTimeFormat` API,
but we weren't including any locale data. This polyfill doesn't work
without the locale data for whichever locale you're formatting.

The data for all locales we support is now included. The locale data
is loaded from disk as-needed (during app startup, and upon each change
in locale).
2020-07-02 21:34:48 -03:00
Mark Stacey
b30a352acb
Use @fortawesome/fontawesome-free npm package (#8256)
The official npm package for Font Awesome Free is now used instead of
the vendored styles. Previously we had been using v4.4.0, now we're
using v5.13.0.

We're now importing the Font Awesome SCSS modules instead of using the
minified CSS bundle. This integrates more cleanly into our build
system, and it lets us use their mixins directly in the future if we
need to.

The variable `fa-font-path` has been set to reference our font
directory, as instructed here:
https://fontawesome.com/how-to-use/on-the-web/using-with/sass#compile
2020-03-30 20:05:51 -03:00
kumavis
7686edadb0
Build system refactor (#8140)
* build - start static asset task cleanup

* build - simplify manifest tasks

* build - refactor + rename some tasks

* build - various cleanups

* manifest - fix ref from controller

* build - drop gulp for simple async tasks

* build - breakout gulpfile into multiple files

* build - rename some tasks

* build - use task fn refs instead of string names

* build - bundle all scripts first, except for contentscript

* build - improve task timeline

* deps - update lock

* build - improve task time printout

* build/scripts - remove intermediate named task

* build - use 'yarn build' for task entry points

* build - properly run tasks via runTask for timeline display

* development/announcer - fix manifest path + clean

* build - lint fix

* build - make all defined tasks possible entry points

* build/task - properly report errors during task

* ci - fix sesify/lavamoat-viz build command

* build/scripts - run each bundle in separate processes

* lint fix

* build - forward childProcess logs to console

* build/task - fix parallel/series stream end event

* build/scripts refactor contentscript+inpage into a single task

* build/static - use the fs for 150x speedup zomg

* lint fix

* build/static - fix css copy

* Update development/build/scripts.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/scripts.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/index.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* deps - remove redundant mkdirp

* deps - remove unused pumpify

* deps - remove redundant merge-deep

* deps - prefer is-stream of isstream

* deps - remove clone for lodash.cloneDeep

* clean - remove commented code

* build/static - use fs.copy + fast-glob instead of linux cp for better platform support

* build/manifest - standardize task naming

* build/display - clean - remove unused code

* bugfix - fix fs.promises import

* build - create "clean" as named task for use as entrypoint

* build/static - fix for copying dirs

* Update development/build/task.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/display.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/display.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/display.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* build - use task refs, tasks only return promises not streams, etc

* lint fi bad merge + lint

* build - one last cleanup + refactor

* build - add comments introducing file

* build/manifest - fix bug + subtasks dont beed to be named

* Update package.json

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* build/task - remove unused fn

* Update package.json

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/styles.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/styles.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2020-03-09 08:55:02 +08:00