Closed Bug 1178430 Opened 9 years ago Closed 1 month ago

High signing severity warnings generated for 3rd party libraries

Categories

(addons.mozilla.org Graveyard :: Add-on Validation, defect)

Product:
addons.mozilla.org Graveyard
Component:
Add-on Validation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: steven.harris, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

Steps to reproduce:

1) Included and utilized es5-shim/jquery/underscore libraries in our add-on
- es5-shim.min.js
- jquery-1.7.1.min.js
- underscore-1.5.2.min.js
2) Submitted for validation


Actual results:

1) Numerous high level signing severity warnings were output for these third party libraries, such as: Access to the `Function` global; `setTimeout` called in potentially dangerous manner; `setInterval` called in potentially dangerous manner; createElement() used to create script tag
2) These high level warnings result in our add-on being flagged for manual review, drastically affecting our release date



Expected results:

The fact is that these libraries support all browsers and a large collection of capabilities, which means any attempt to include them will result in a manual review. The only options I see are:

1) Instead of including these standard libraries, create and maintain the specific subset of utilized features.
2) As long as the MD5 hashes are correct, validation should not generate warnings for these libraries.
3) The validation algorithm could generate warnings only if the add-on references any of those features that are security concerns.

From a security perspective the best approach would be #1, but that puts a large burden on the developers since they must create/maintain standard features from these libraries. From my perspective, #2 just opens up lot's of potential ways that these libraries could be misused, thus compromising the users system. And, #3 would require a much more sophisticated validator, since it would have to determine what library code was referenced by the add-on.

In conclusion, I am not sure I like any of the above options, because they all compromise on some point. As tempting as #2 is, I feel it does not meet the need to provide a secure solution to the user, so it has to be #1 or #3.
Kris, thoughts?
Flags: needinfo?(kmaglione+bmo)
We'll be able to deal with the more common cases once bug 1069570 lands. I don't think we'll ever be able to deal with 100% of third-party libraries, though.
Depends on: 1069570
Flags: needinfo?(kmaglione+bmo)
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.