Audit our content scripts/message handlers

RESOLVED FIXED

Status

()

Firefox for iOS
General
RESOLVED FIXED
3 years ago
8 months ago

People

(Reporter: bnicholson, Unassigned)

Tracking

({sec-audit})

unspecified
All
iOS
sec-audit

Firefox Tracking Flags

(fxios1.1+)

Details

(Reporter)

Description

3 years ago
Before releasing v1, we need to go over all of our user scripts and carefully verify that we aren't exposing anything dangerous to web pages. In particular, the in-content webkit object used for sending messages back to the app process is exposed to web pages, so we also need to look through the receiving end (BrowserHelpers) to make sure we robustly handle any message that may be sent back to us. Any message posted via webkit.messageHandlers could be malicious, so we need to filter them accordingly.
tracking-fennec: ? → +
tracking-fxios: ? → +
This includes looking at the Swift handlers for those messages to make sure they handle bad input data correctly.

This includes things like:

* Receiving nil/null and assuming that is not possible
* Receiving different data types than expected
* Receiving longer or shorter data then expected
* Receiving correct data structures but with invalid data

This will be a fun thing for Whistler I think. We can also ask some of the security team folks to help with this, since they have been looking at issues like this across our products.
(Reporter)

Updated

3 years ago
Assignee: nobody → bnicholson
Status: NEW → ASSIGNED
tracking-fennec: + → ---
(Reporter)

Updated

3 years ago
Assignee: bnicholson → nobody
Status: ASSIGNED → NEW
This is what we inject:

* ContextMenu.js & ContextMenuHelper.swift
* Favicons.js & FaviconManager.swift
* FxASignIn.js & FxAContentViewController.js
* LoginsHelper.js & LoginsHelper.swift
* Readability.js & ReadabilityBrowserHelper.js & ReadabilityBrowserHelper.swift
* Readability.js & ReaderMode.js & ReaderMode.swift
* WindowCloseHelper.js & WindowCloseHelper.swift
WindowCloseHelper.js & WindowCloseHelper.swift

These two look pretty sane. Code is executed in an anonymous function. No data is passed between webview and native. The only message it sends is 'null' as a notification.
FxASignIn.js & FxAContentViewController.swift

The main problem with FxAContentViewController.swift is that it does zero validation of the data it receives in userContentController(didReceiveScriptMessage).

I'm not too worried about someone hijacking the fxa-content-server. But if it for some reason sends back an unexpected JSON response, we will likely crash because we assume specific keys are in returned dictionaries and assume they are of specific types.

Highly recommend to write a strict parser from FxA Content Server responses and turn the JSON into Swift structs to encapsulate the responses.
(Reporter)

Comment 5

3 years ago
Sounds like we'll be dumping some findings in here. Restricting access so we don't give people a laundry list of 0-day exploits for release :)
Group: core-security
tracking-fxios: + → 1.1+
(Reporter)

Updated

3 years ago
Depends on: 1194567
tracking-fxios: 1.1+ → +
tracking-fxios: + → 1.0.5+

Updated

2 years ago
Group: core-security → firefox-core-security
Keywords: sec-audit
tracking-fxios: 1.0.5+ → ?
This'll do for v1.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
tracking-fxios: ? → 1.1+
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.