Don't ship debug IAC rules into production

RESOLVED INCOMPLETE

Status

()

defect
RESOLVED INCOMPLETE
5 years ago
a year ago

People

(Reporter: ggp, Unassigned)

Tracking

unspecified
2.0 S4 (20june)
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Find My Device uses the Inter-App Communication (IAC) API to receive fake commands from a test app. This is only necessary during tests.

The IAC API allows an app to establish rules specifying which other apps it wants to communicate with, by listing in its manifest.webapp the URLs of the manifests of the other apps it is interested in.

We currently have the following two rules in our manifest.webapp, in order to communicate with the test app:

          "app://test-findmydevice.gaiamobile.org/manifest.webapp",
          "http://test-findmydevice.gaiamobile.org:8080/manifest.webapp"

These URLs, however, could potentially be spoofed by a different app when the test app is not installed, which happens in production builds. Such app could then gain control over Find My Device. Thus, these rules should be removed from production builds.

See https://bugzilla.mozilla.org/show_bug.cgi?id=938901#c27 for a possible security flaw involving this.
(Reporter)

Comment 1

5 years ago
Just noticed that the build system (specifically, build/webapp-manifests.js) is now smart enough to replace the rules in the manifest with the debugging ones if necessary. So we can just remove the hard-coded debug rules now.
Attachment #8406395 - Flags: review?(21)
Let's also keep this bug opened once the first part of the patch lands since app:// can still be spoofed.
(Reporter)

Updated

5 years ago
Attachment #8406395 - Attachment description: bug 983363 - remove IAC debug rules from find my device → bug 983363 - remove IAC debug rules from find my device [checkin: comment 3]
Gene, could you look at this?
Flags: needinfo?(gene.lian)
Target Milestone: --- → 2.0 S1 (9may)
This one seems to be a Gaia bug. Anyway, although we allow app's manifest to define its own IAC rules, we haven't opened IAC to non-certified apps, which means even if the rules work, it only works for two certified apps to communicate with each other with limitations.
Flags: needinfo?(gene.lian)
Target Milestone: 2.0 S1 (9may) → 2.0 S3 (6june)
Blocks: 938357
blocking-b2g: --- → 2.0?
Target Milestone: 2.0 S3 (6june) → 2.0 S4 (20june)
Erin

User impact please?
Flags: needinfo?(elancaster)
blocking-b2g: 2.0? → 2.0+
Assignee: ggoncalves → nobody
Assignee: nobody → gene.lian
Component: FindMyDevice → DOM: Device Interfaces
Product: Firefox OS → Core
It seems like this doesn't affect us shipping FMD since it is restricted to certified apps on. Correct Gene?
Flags: needinfo?(gene.lian)
Yes! Correct! IAC doesn't work at all on the non-certified apps.

I don't know what else Gecko can support on this bug? Isn't this a pure Gaia bug? May we just close this bug since comment #1 lands? needinfo :gpp. Please correct me if I'm wrong. Thanks!

Btw, the way of specifying the manifestURLs in the manifest.webapp is going to be disabled under way (bug 1019493).
Assignee: gene.lian → nobody
Flags: needinfo?(gene.lian) → needinfo?(ggoncalves)
(Reporter)

Comment 9

5 years ago
I think there are two possible courses of action for this bug, depending on whether bug 1019493 lands or not, as I can see people still have (justifiable) second thoughts about it.

If it lands, then it looks like we can just remove manifestURLs from FMD's manifest and be done with it. If it doesn't, then yes, this remains an issue, but it seems to me that it can be solved by making Gaia's build system smart enough to remove these rules as needed, so I don't think we need anything from Gecko.

I also agree that this isn't a major issue right now given that IAC only works for certified apps; however, if the outcome of bug 1019493 is that this restriction doesn't provide enough security, then of course we should follow suit and get this fixed on Gaia as soon as possible.
Depends on: 1019493
Flags: needinfo?(ggoncalves)
Bug 1019493 comment 15 confirms we will never attempt to expose IAC to non-certified apps and the patches there seem likely to land.  Should we just let bug 1019493's resolution work for this bug, too, and drop the 2.0 blocker here?
Flags: needinfo?(ggoncalves)
(Reporter)

Comment 11

5 years ago
I'm OK with that. Once bug 1019493 lands, we should be free to just remove the manifestURLs from our manifest, and I don't think we need to block on this anymore.
Flags: needinfo?(ggoncalves)
Sounds good.  I'll remove the blocking flag here while we wait for bug 1019493 to be resolved.
blocking-b2g: 2.0+ → ---
Flags: needinfo?(elancaster)
Cleaning up Device Interfaces component, and mass-marking old FxOS bugs as incomplete.

If any of these bugs are still valid, please let me know.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in before you can comment on or make changes to this bug.