Make Robolectric safer

[utzcoz]

Google has released ClusterFuzzlite, and it supports CI fuzzing checking for Java and C++, used by Robolectric. What about trying to integrate it for Robolectric Github Actions, and start to make Robolectric safer?

Also, GitHub Security supports to spot out vulnerabilities of dependencies. It can be used to make Robolectric safer too.

[hoisie]

What kind of threat models are you concerned with? I'm definitely not opposed to improving security, but Robolectric processes tend to be short-lived, and only exist on developer machines and isolated CI environments, so I have not thought too much about what kind of attack vectors are possible.

[utzcoz]

Actually, there are some CI environments not isolated from my experiences.

[utzcoz]

Maybe what we can do now is to bump dependencies with confirmed security problems. For example, I found the Guava we used currently has a low priority security problem, and I filed an issue for it. Because it maybe simple, I also leave it for potential new contributors.

[utzcoz]

#3916 is another example that Robolectric's dependency has vulnerability problem, and some users encourage us to upgrade our dependencies. Looks like some users' company use tools to analyze licenses and vulnerability problems of their product's open-source dependencies.

[hoisie]

Yeah it's fine updating dependencies, I just think to exploit a vulnerability you need the following to happen:

1. The test cannot be run inside a transient container, which happens pretty often these days. For instance, when tests are run on CI services (e.g. GitHub CI), they are fairly isolated and sandboxed in a container, and even if that container gets compromised, I believe it would be a lot more work to drop down into the host machine.

2. The machine or container would have to be exposed to an open network, and it would either have to start a server in the test, or make a network request to a malicious host that can exploit a vulnerability.

[utzcoz]

Agreed. Looks like what we can do for Robolectric about security is updating dependencies. The ROI of updating dependencies is large enough, and we can spent less effort to reduce users' "complaints" from their analyzing tools.