fix: Relates to #124. Security

package.json

@@ -44,8 +44,8 @@
     "build": "lerna run build",
     "preelectron": "yarn build",
     "electron": "cd packages/fether-electron && yarn electron",
-    "lint-files": "./scripts/lint-files.sh",
-    "lint": "yarn lint-files '**/*.js'",
+    "lint-files": "./scripts/lint-files.sh '**/*.js'",
+    "lint": "yarn lint-files",
     "prepackage": "yarn build",
     "package": "cd packages/fether-electron && yarn package",
     "release": "cd packages/fether-electron && yarn release",
@@ -76,4 +76,4 @@
     "ts-node": "^8.0.3",
     "typescript": "^3.3.4000"
   }
-}
+}

packages/fether-electron/custom.webpack.additions.js

@@ -0,0 +1,22 @@
+// https://webpack.electron.build/add-ons
+// https://www.npmjs.com/package/webpack-build-notifier
+const path = require('path');
+const WebpackBuildNotifierPlugin = require('webpack-build-notifier');
+
+const withWebpackBuildNotifier = process.env.NOTIFIER === 'true';
+
+module.exports = withWebpackBuildNotifier
+  ? {
+    plugins: [
+      new WebpackBuildNotifierPlugin({
+        title: 'Fether Webpack Build',
+        logo: path.resolve('./build/icons/icon.ico'),
+        suppressSuccess: false,
+        compileIcon: path.resolve('./build/icons/webpack/compile.png'),
+        failureIcon: path.resolve('./build/icons/webpack/failure.png'),
+        successIcon: path.resolve('./build/icons/webpack/success.png'),
+        warningIcon: path.resolve('./build/icons/webpack/warning.png')
+      })
+    ]
+  }
+  : {};

packages/fether-electron/electron-webpack.json

@@ -1,5 +1,9 @@
 {
+  "main": {
+    "webpackConfig": "custom.webpack.additions.js"
+  },
   "renderer": {
     "sourceDirectory": null
-  }
+  },
+  "title": "Fether"
 }

packages/fether-electron/package.json

@@ -30,12 +30,12 @@
   "scripts": {
     "prebuild": "copyfiles -u 2 \"../fether-react/build/**/*\" static/ && ./scripts/fixElectronBug.sh",
     "build": "electron-webpack",
-    "electron": "cross-env SKIP_PREFLIGHT_CHECK=true electron dist/main/main.js",
+    "electron": "electron dist/main/main.js",
     "prepackage": "./scripts/revertElectronBug.sh",
     "package": "electron-builder",
     "prerelease": "./scripts/revertElectronBug.sh",
     "release": "electron-builder",
-    "start": "cross-env ELECTRON_START_URL=http://localhost:3000 electron-webpack dev --ws-origins all",
+    "start": "cross-env ELECTRON_START_URL=http://localhost:3000 electron-webpack dev",
     "test": "jest --all --color --coverage"
   },
   "dependencies": {
@@ -48,14 +48,16 @@
     "fether-react": "^0.3.0",
     "pino": "^4.16.1",
     "pino-multi-stream": "^3.1.2",
-    "source-map-support": "^0.5.10"
+    "source-map-support": "^0.5.10",
+    "url-pattern": "^1.0.3"
   },
   "devDependencies": {
     "copyfiles": "^2.1.0",
     "cross-env": "^5.2.0",
     "electron": "^4.0.1",
     "electron-builder": "^20.38.5",
     "electron-webpack": "^2.6.1",
-    "webpack": "^4.29.1"
+    "webpack": "^4.29.1",
+    "webpack-build-notifier": "^0.1.30"
   }
-}
+}

packages/fether-electron/src/main/app/cli/index.js

@@ -4,7 +4,7 @@
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cli from 'commander';
-
+import { DEFAULT_CHAIN, DEFAULT_WS_PORT } from '../constants';
 const { productName } = require('../../../../electron-builder.json');
 const { version } = require('../../../../package.json');
 
@@ -24,30 +24,31 @@ cli
   .allowUnknownOption()
   .option(
     '--chain <chain>',
-    'The network to connect to, can be one of "foundation", "kovan" or "ropsten". (default: "kovan")',
-    'kovan'
+    `The network to connect to, can be one of "foundation", "kovan" or "ropsten". (default: "${DEFAULT_CHAIN}")`,
+    DEFAULT_CHAIN
   )
   .option(
     '--no-run-parity',
     `${productName} will not attempt to run the locally installed parity.`
   )
-  .option(
-    '--ws-interface <ip>',
-    `Specify the hostname portion of the WebSockets server ${productName} will connect to. IP should be an interface's IP address. (default: 127.0.0.1)`,
-    '127.0.0.1'
-  )
   .option(
     '--ws-port <port>',
-    `Specify the port portion of the WebSockets server ${productName} will connect to. (default: 8546)`,
-    8546
+    `Specify the port portion of the WebSockets server ${productName} will connect to. (default: ${DEFAULT_WS_PORT})`,
+    DEFAULT_WS_PORT
   )
 
   .parse(
     process.argv
       // We want to ignore some flags and not pass them down to Parity:
       // --inspect: `electron-webpack dev` runs Electron with the `--inspect` flag for HMR
       // -psn_*: https://github.com/paritytech/fether/issues/188
-      .filter(arg => !arg.startsWith('--inspect') && !arg.startsWith('-psn_'))
+      .filter(
+        arg =>
+          !arg.startsWith('--inspect') &&
+          !arg.startsWith('-psn_') &&
+          !arg.startsWith('--ws-interface') &&
+          !arg.startsWith('--ws-origins')
+      )
   );
 
 export default cli;

packages/fether-electron/src/main/app/constants/index.js

@@ -0,0 +1,27 @@
+// Copyright 2015-2019 Parity Technologies (UK) Ltd.
+// This file is part of Parity.
+//
+// SPDX-License-Identifier: BSD-3-Clause
+
+import { IS_PACKAGED } from '../utils/paths';
+
+const IS_PROD = process.env.NODE_ENV === 'production';
+
+/**
+ * Security. Additional network security is configured after `cli` is available:
+ * in fether-electron/src/main/app/options/config/index.js
+ *
+ * Note: 127.0.0.1 is a trusted loopback and more trustworthy than localhost.
+ * See https://letsencrypt.org/docs/certificates-for-localhost/
+ */
+const DEFAULT_CHAIN = 'kovan';
+const DEFAULT_WS_PORT = '8546';
+const TRUSTED_LOOPBACK = '127.0.0.1';
+
+export {
+  DEFAULT_CHAIN,
+  DEFAULT_WS_PORT,
+  IS_PACKAGED,
+  IS_PROD,
+  TRUSTED_LOOPBACK
+};

packages/fether-electron/src/main/app/menu/template/index.js

@@ -4,6 +4,7 @@
 // SPDX-License-Identifier: BSD-3-Clause
 
 import electron from 'electron';
+import { IS_PROD } from '../../constants';
 
 const { shell } = electron;
 
@@ -170,7 +171,7 @@ const getContextTrayMenuTemplate = fetherApp => {
       }
     ];
 
-    if (process.env.NODE_ENV !== 'production') {
+    if (!IS_PROD) {
       template.push({
         label: 'Reload',
         click: () => fetherApp.win.webContents.reload()

packages/fether-electron/src/main/app/methods/setupGlobals.js

@@ -3,11 +3,13 @@
 //
 // SPDX-License-Identifier: BSD-3-Clause
 
+import { DEFAULT_WS_PORT, TRUSTED_LOOPBACK } from '../constants';
 import cli from '../cli';
 
 function setupGlobals () {
   // Globals for fether-react parityStore
-  global.wsInterface = cli.wsInterface;
+  global.defaultWsInterface = TRUSTED_LOOPBACK;
+  global.defaultWsPort = DEFAULT_WS_PORT;
   global.wsPort = cli.wsPort;
 }
 

packages/fether-electron/src/main/app/methods/setupRequestListeners.js

@@ -5,7 +5,12 @@
 
 import electron from 'electron';
 
+import { IS_PROD } from '../constants';
+import { CSP } from '../utils/csp';
 import messages from '../messages';
+import Pino from '../utils/pino';
+
+const pino = Pino();
 const { ipcMain, session } = electron;
 
 function setupRequestListeners (fetherApp) {
@@ -30,6 +35,24 @@ function setupRequestListeners (fetherApp) {
       callback({ requestHeaders: details.requestHeaders }); // eslint-disable-line
     }
   );
+
+  // Content Security Policy (CSP)
+  session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+    pino.debug(
+      `Configuring Content-Security-Policy for environment ${
+        IS_PROD ? 'production' : 'development'
+      }`
+    );
+
+    /* eslint-disable */
+    callback({
+      responseHeaders: {
+        ...details.responseHeaders,
+        "Content-Security-Policy": [CSP]
+      }
+    });
+    /* eslint-enable */
+  });
 }
 
 export default setupRequestListeners;

packages/fether-electron/src/main/app/methods/setupWinListeners.js

@@ -3,20 +3,71 @@
 //
 // SPDX-License-Identifier: BSD-3-Clause
 
-import electron from 'electron';
 import debounce from 'lodash/debounce';
 
+import { SECURITY_OPTIONS } from '../options/config';
 import Pino from '../utils/pino';
 
+const { TRUSTED_HOSTS } = SECURITY_OPTIONS.fetherNetwork;
+const trustedHostsAll = Object.values(TRUSTED_HOSTS).flat();
 const pino = Pino();
 
 function setupWinListeners (fetherApp) {
   const { onWindowClose, processSaveWinPosition, win } = fetherApp;
 
-  // Open external links in browser
-  win.webContents.on('new-window', (event, url) => {
-    event.preventDefault();
-    electron.shell.openExternal(url);
+  /**
+   * Insecure TLS Validation - verify the application does not explicitly opt-out of TLS validation
+   *
+   * References:
+   * - https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
+   * - https://electronjs.org/docs/api/session#sessetcertificateverifyprocproc
+   */
+  win.webContents.session.setCertificateVerifyProc((request, callback) => {
+    const { hostname, certificate, verificationResult, errorCode } = request; // eslint-disable-line
+
+    pino.debug(
+      'Processing server certificate verification request for the session in setCertificateVerifyProc with hostname: ',
+      hostname
+    );
+
+    if (errorCode) {
+      pino.error(
+        'Error processing server certificate verification request for the session in setCertificateVerifyProc: ',
+        errorCode
+      );
+
+      // Failure accepting certificate due to errorCode
+      callback(-2); // eslint-disable-line
+    } else if (!trustedHostsAll.includes(hostname)) {
+      pino.info(
+        'Failure accepting server certification due to its hostname being an untrusted host in setCertificateVerifyProc: ',
+        hostname
+      );
+
+      // Failure accepting server certificate due to its source hostname being untrusted
+      callback(-2); // eslint-disable-line
+    } else if (!verificationResult === 'net::OK') {
+      pino.info(
+        'Failure accepting server certificate due to it failing Chromium verification: ',
+        hostname,
+        verificationResult
+      );
+
+      // Failure accepting server certificate due to it failing Chromium verification
+      callback(-2); // eslint-disable-line
+    } else {
+      pino.info(
+        'Fallback to using the verification result from Chromium: ',
+        hostname,
+        verificationResult
+      );
+
+      // Fallback to using the verification result from Chromium
+      callback(-3); // eslint-disable-line
+
+      // // Success and accept the certifcate, disable Certificate Transparency verification
+      // callback(0); // eslint-disable-line
+    }
   });
 
   // Windows and Linux (unchecked on others)