Closed
Bug 748826
Opened 13 years ago
Closed 9 years ago
mozApps should validate receipt iss against installOrigin
Categories
(Core Graveyard :: DOM: Apps, defect)
Core Graveyard
DOM: Apps
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: ianbicking, Unassigned)
Details
Attachments
(1 file, 1 obsolete file)
|
12.92 KB,
patch
|
fabrice
:
feedback+
|
Details | Diff | Splinter Review |
Right now the receipt is treated as an opaque string by the mozApps API. I think there is a fraud issue because of this.
You can imagine someone buying an app, legitimately, from the Marketplace, and saving the receipt. They could then create a store that allows other people to buy this same app, and gives all the users the legitimate Marketplace receipt.
The app could protect against this by checking the installOrigin field when using getSelf, and either validating that against installs_allowed_from or against the receipt. But an app that is not doing robust checking and has not set installs_allowed_from would not be able to do this. Some more casual apps like games might not do this.
Also we can imagine a case where an app has receipts from multiple stores. For instance, an app might stop a relationship with a store but still respect old purchases, but want to do further upgrades from other stores. In this case the app might relax some of this checking, and the current value of installs_allowed_from might not match past values when the app was first installed.
Because of this I believe that mozApps should base64-decode the receipt (doing no cryptographic checking) and check the iss field (https://wiki.mozilla.org/Apps/WebApplicationReceipt#the_iss_field) against installOrigin, and give an error if it does not match.
|
||
Comment 1•13 years ago
|
||
Ian - Should be moved to Core --> DOM:Mozilla Extensions, since other mozapps API bugs are there?
|
|
||
Updated•13 years ago
|
Component: General → DOM: Apps
Product: Web Apps → Core
|
|
||
Updated•13 years ago
|
blocking-basecamp: --- → ?
|
||
Updated•13 years ago
|
Whiteboard: [blocked-on-input]
|
|
||
Comment 2•13 years ago
|
||
Yup, this is a valid risk, there are a couple ways around it. however, i don't see this as a blocking issue. ultimately, the decision whether this is a blocker is up to the marketplace business team (rick fant?).
|
||
Comment 3•13 years ago
|
||
I agree that this isn't a blocker, that receipts are copyable is a known drawback of our current system.
|
|
||
Comment 4•13 years ago
|
||
Thanks for the input. Removing the nom, now that we know this does not block.
blocking-basecamp: ? → ---
Whiteboard: [blocked-on-input]
|
||
Comment 5•12 years ago
|
||
|
|
||
Updated•12 years ago
|
Attachment #786581 -
Flags: feedback?(ianb)
|
|
||
Updated•12 years ago
|
Attachment #786581 -
Flags: feedback?(ianb) → feedback?(fabrice)
|
||
Comment 6•12 years ago
|
||
Comment on attachment 786581 [details] [diff] [review]
verify_iss_installorigin_receipts
Review of attachment 786581 [details] [diff] [review]:
-----------------------------------------------------------------
lgtm, but need tests.
Attachment #786581 -
Flags: feedback?(fabrice) → feedback+
|
|
||
Comment 7•12 years ago
|
||
I've removed the test_install_receipts.xul test (it only contains invalid receipts).
The receipts are accepted if one of them is valid, that's what we want, right?
Attachment #786581 -
Attachment is obsolete: true
Attachment #814280 -
Flags: feedback?(fabrice)
|
|
||
Comment 8•12 years ago
|
||
Comment on attachment 814280 [details] [diff] [review]
Patch
Review of attachment 814280 [details] [diff] [review]:
-----------------------------------------------------------------
(In reply to Marco Castelluccio [:marco] from comment #7)
>
> The receipts are accepted if one of them is valid, that's what we want,
> right?
I think so, I'd like to get a confirmation from payment folks there.
::: dom/apps/tests/test_iss_receipt.html
@@ +68,5 @@
> + }
> +
> + function continueTest() {
> + try { gGenerator.next(); }
> + catch (e) { dump("Got exception: " + e + "\n"); }
nit: can you indent that properly?
Attachment #814280 -
Flags: feedback?(fabrice) → feedback+
|
|
||
Updated•12 years ago
|
Flags: needinfo?(kumar.mcmillan)
|
||
Comment 9•12 years ago
|
||
> (In reply to Marco Castelluccio [:marco] from comment #7)
> >
> > The receipts are accepted if one of them is valid, that's what we want,
> > right?
I think that's right because the verifier will check the signature of each one. I'm adding :andym for a second pair of eyes.
Flags: needinfo?(kumar.mcmillan)
|
|
||
Comment 10•12 years ago
|
||
Comment on attachment 814280 [details] [diff] [review]
Patch
Review of attachment 814280 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/apps/src/Webapps.jsm
@@ +1550,5 @@
> + }
> +
> + for (let receipt of aApp.receipts) {
> + try {
> + let segments = receipt.split('.');
I think you need to split the receipt on tilde (~) first to remove the JSON Web Key. Info: https://wiki.mozilla.org/Apps/WebApplicationReceipt#Firefox_Marketplace_receipts
|
|
||
Comment 11•12 years ago
|
||
(In reply to Kumar McMillan [:kumar] from comment #10)
> I think you need to split the receipt on tilde (~) first to remove the JSON
> Web Key. Info:
> https://wiki.mozilla.org/Apps/
> WebApplicationReceipt#Firefox_Marketplace_receipts
Thank you, I didn't notice that section!
|
||
Comment 12•12 years ago
|
||
A few points:
- If there's two receipts in the install and one is valid and one is invalid, should we not just stop the install at that point? In this patch, it installs the app with a valid and an invalid receipt. The fact that we are installing something with an invalid receipt seems wrong. We should stop there.
- If we don't check the crypto in the receipt, can we really trust the values in the receipt at all?
- I'm all for doing things on the platform, I think life will be much easier for the developer. However Ian went on to write receipt verifier. I would much rather think of this change going into receiptverifier library and then consider merging that whole library into platform. We'd get a whole pile more checks then, including crypto checks. If people think this is a good idea, I won't let this stand in the way.
|
|
||
Comment 13•12 years ago
|
||
The receipt verifier library is at: https://github.com/mozilla/receiptverifier btw.
|
|
||
Comment 14•12 years ago
|
||
(In reply to Andy McKay [:andym] from comment #12)
> - If there's two receipts in the install and one is valid and one is
> invalid, should we not just stop the install at that point?
Technically it's ok to have multiple receipts on device (although it seems like an odd case). In this scenario, the receipt verifier in the app itself would pass verification, right? I.E. the verifier lib only requires one valid receipt, I think.
|
|
||
Comment 15•12 years ago
|
||
(In reply to Kumar McMillan [:kumar] from comment #14)
> Technically it's ok to have multiple receipts on device (although it seems
> like an odd case). In this scenario, the receipt verifier in the app itself
> would pass verification, right? I.E. the verifier lib only requires one
> valid receipt, I think.
I think so, but there's no test to prove that point. If there was one it, would make me happier.
Would like to see a clear reason for installing an app with an essentially tampered receipt though.
|
|
||
Comment 16•9 years ago
|
||
The Apps API code has been removed in bug 1261019.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•