-
Notifications
You must be signed in to change notification settings - Fork 440
Fix #483 - Add Safe-Browsing via Proxy and Update DB List #1339
Conversation
|
@Brandon-T - I'm seeing a crash on fullUpdate
|
This should be fixed already :D |
9b53a6c
to
2cffb10
Compare
cc: @jamesmudgett for designs of the warning pages |
@Brandon-T - Globally disabling |
I think we should clearly highlight that we are using Google Safe Browsing here. May be add a line after |
Two URLs on the test page are not getting flagged as malicious, see |
I checked these two URLs against Google’s Go-Lang implementation, it doesn’t get flagged either. So I decided to test it out on the cloud with my personal API key using the Google Developer Console and it also doesn’t flag these two URLsso I’m not sure what’s going on. There’s also a stackoverflow issue for this. I’ll see if I can figure out why. It seems to flag it in safari but safari seems to be flagging the entire domain and not just that page. For GSafe v2 it flags but v4 doesn’t. I’ll see if I can figure out why. |
@Brandon-T - Safari blocks this URL correctly on iOS. Social Engineering one does not work though. May be worth following up with the Safe Browsing team. cc: @tomlowenthal can help. This is not a blocker, I think we can file a separate issue for this if needed. |
// Technically this should be done "TRIE" data structure | ||
|
||
//TODO: Fix for IP Address.. | ||
if let hostName = host?.replacingOccurrences(of: "\(scheme ?? "")://", with: "") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unit test for this will help
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good examples here: https://developers.google.com/safe-browsing/v4/urls-hashing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, let's make sure we stop on ETLD+1 so that we never lookup co.uk
for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably use a whitelist of schemes here (probably: http://
, https://
, ftp://
, ws://
, and wss://
) since Safe Browsing doesn't make sense for file://
or data:
URIs.
…. Made pages responsive to handle iPhone SE.
…ing urls for all HTML pages.
…calized Strings. Addressed some feedback related stuff.
7c32eea
to
d18e552
Compare
closing, error pages design will be updated here #4338 |
Security Review: https://github.com/brave/internal/issues/632
Added Safe-Browsing API Client.
Fixes Update error/warning page communication and iconography & use Google Safe Browsing via proxy #483
Updated to have CoreData and to use the same Database Schema as Go-Lang server.
Also uses same logic as the Go-Lang sblookup server so should be good for searching the DB for hashes (short and long).
Host Prefix/Suffix calculation should be done via a TRIE structure but the current algorithm works and matches the Go-Lang implementation's results perfectly.
Now handles full-update and partial-update.
DB is stored persistently.
Handles DB corruption via Checksum
Rewrote/Ported a lot from Go-Lang's implementation (took almost 32 hours straight on top of our existing previous PR-Code) and is feature complete.
Now handles Database Expiration
Now handles Back-Off-Mode
Now handles Find and Update wait duration
Now schedules updates periodically
Now handles Cache and Expiration
Now Handles IP-Address Canonicalization
Spec followed is: https://developers.google.com/safe-browsing/v4/update-api
Submitter Checklist:
Fix #123: This fixes the shattered coffee cup!
(orNo Bug: <message>
if no relevant ticket)NSLocalizableString()
Test Plan:
Screenshots:
Reviewer Checklist:
QA/(Yes|No)
release-notes/(include|exclude)
bug
/enhancement