[tor-browser-spec/master] Bug 40005: Add Fenix82 net audit - tbb-commits

23 Oct 2020

commit d3790ada30eb10772b4a7e0cd810e191fc3d44e8
Author: Matthew Finkel sysrqb@torproject.org
Date:   Mon Oct 12 21:15:23 2020 +0000
Bug 40005: Add Fenix82 net audit
Add java_audit.sh, authored by Mike
    (see https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40132#no...)
---
 audits/FF82_NETWORK_AUDIT | 125 ++++++++++++++++++++++++++++++++++++++++++++++
 audits/java_audit.sh      |  85 +++++++++++++++++++++++++++++++
 2 files changed, 210 insertions(+)

diff --git a/audits/FF82_NETWORK_AUDIT b/audits/FF82_NETWORK_AUDIT
new file mode 100644
index 0000000..705a544
--- /dev/null
+++ b/audits/FF82_NETWORK_AUDIT
@@ -0,0 +1,125 @@
+`git diff cb11d5556759bd5bf174fbac719f51b2f02e2f0b 763b45bd9edb0073a2c6058dd3edc9254ec901e9`
+and then go over all the changes containing the
+above mentioned potentially dangerous calls and features. Grep the diff for
+the following strings and examine surrounding usage.
+
+=============== Native DNS Portion =============
+
+PR_GetHostByName
+PR_GetIPNodeByName
+PR_GetAddrInfoByName
+PR_StringToNetAddr
+
+MDNS
+TRR (DNS Trusted Recursive Resolver)
+  - Adds |doh-rollout.clearModeOnShutdown| pref for resetting |doh-rollout.mode| when the browser shuts down
+
+Direct Paths to DNS resolution
+nsDNSService::Resolve
+nsDNSService::AsyncResolve
+nsHostResolver::ResolveHost
+
+# FF82: Nothing of interest
+
+============ Misc Socket Portion ==============
+
+SOCK_
+SOCKET_
+_SOCKET
+UDPSocket
+TCPSocket
+  PR_NewTCPSocket
+  AsyncTCPSocket
+
+Misc PR_Socket
+
+# FF82: Nothing of interest
+
+=========== Misc XPCOM Portion ================
+
+Misc XPCOM (including commands for pre-diff review approach)
+ *SocketProvider
+ grep -R udp-socket .
+ grep -R tcp-socket .
+ grep for tcpsocket
+ grep -R "NS_" | grep SOCKET | grep "_C"
+ grep -R "@mozilla.org/network/" . | grep socket | grep -v udp-socket
+
+   - New usage of ResolveNative in nsHttpConnectionMgr::nsHalfOpenSocket::SetupStreams
+     (netwerk/protocol/http/nsHttpConnectionMgr.cpp) but resolution is blocked by
+     DNSForbiddenByActiveProxy
+   - New usage of @mozilla.org/network/dns-service;1 in toolkit/content/aboutNetworking.js
+     but it only allows clearing the DNS cache
+
+============ Rust Portion ================
+
+Rust
+ - XXX: What do we grep for here? Or do we rely on Ritter's compile-time tool?
+ - Check for new sendmsg and recvmsg usage
+
+# FF82: Zero new instances of sendmsg/recvmsg/connect
+
+============ Android Portion =============
+
+Android Java calls
+ - URLConnection
+   - XXX: getInputStream? other methods?
+ - HttpURLConnection
+ - UrlConnectionDownloader
+ - ch.boye.httpclientandroidlib.impl.client.* (look for execute() calls)
+ - grep -n openConnection( mobile/android/thirdparty/
+ - java.net.URL -- has SEVERAL proxy bypass URL fetching methods :/
+ - java.net
+ - javax.net
+ - ch.boye.httpclientandroidlib.conn.* (esp ssl)
+ - ch.boye.httpclientandroidlib.impl.conn.* (esp ssl)
+ - Sudden appearance of thirdparty libs:
+   - OkHttp
+   - Retrofit
+   - Glide
+   - com.amitshekhar.android
+ - IntentHelper
+   - openUriExternal (can come from GeckoAppShell too)
+   - getHandlersForMimeType
+   - getHandlersForURL
+   - getHandlersForIntent
+ - android.content.Intent - too common; instead find launch methods:
+   - startActivity
+   - startActivities
+   - sendBroadcast
+   - sendOrderedBroadcast
+   - startService
+   - bindService
+ - android.app.PendingIntent
+ - android.app.DownloadManager
+ - ActivityHandlerHelper.startIntentAndCatch
+
+# FF82: Nothing of interest (using `java_audit.sh`)
+
+============ Application Services Portion =============
+
+Start: 160239424a37088ec84e15fb1bae82aed2cbee8f
+End: 8e63363359c3d20385ed55f5308d19e321816898 # v63.0.0
+
+Zero new usage found of known proxy-bypass APIs
+
+============ Android Components Portion =============
+
+Start: c84cf8e7736ee77c22c75ca9f0397b202e489991
+End: 0a93a5ecd39e5a7f80e453a0d1a863057465aca0 # v60.0.3
+
+Zero new usage found of known proxy-bypass APIs (using `java_audit.sh`)
+
+============ Fenix Portion =============
+
+Start: b54949e58f9fda3698ada3e64b9f4337177d84f0
+End: 998b62866dee35929ca0d81641df101c83ac1224 # v82.0.0-beta.4
+
+Zero new usage found of known proxy-bypass APIs (using `java_audit.sh`)
+
+============ Regression/Prior Vuln Review =========
+
+Review proxy bypass bugs; check for new vectors to look for:
+ - https://trac.torproject.org/projects/tor/query?keywords=~tbb-proxy
+   - Look for new features like these. Especially external app launch vectors
+
diff --git a/audits/java_audit.sh b/audits/java_audit.sh
new file mode 100644
index 0000000..57524eb
--- /dev/null
+++ b/audits/java_audit.sh
@@ -0,0 +1,85 @@
+#!/bin/bash -e
+
+if [ $# -ne 3 ]; then
+    echo "usage: <path/to/repo> <old commit> <new commit>"
+    exit 1
+fi
+
+REPO_DIR=$1
+
+OLD=$2
+NEW=$3
+
+SCOPE="java" # string: this is the java audit
+
+declare -a KEYWORDS
+
+#KEYWORDS+=('+++\ ')
+
+# URL access
+KEYWORDS+=(URLConnection)
+KEYWORDS+=(UrlConnectionDownloader)
+
+# Proxy settings
+KEYWORDS+=(ProxySelector)
+
+# Android and java networking and 3rd party libs
+KEYWORDS+=("openConnection(")
+KEYWORDS+=("java.net")
+KEYWORDS+=("javax.net")
+KEYWORDS+=(android.net)
+KEYWORDS+=(android.webkit)
+
+# Third Party http libs
+KEYWORDS+=(ch.boye.httpclientandroidlib.impl.client)
+KEYWORDS+=(okhttp)
+
+# Intents
+KEYWORDS+=(IntentHelper)
+KEYWORDS+=(openUriExternal)
+KEYWORDS+=(getHandlersForMimeType)
+KEYWORDS+=(getHandlersForURL)
+KEYWORDS+=(getHandlersForIntent)
+# KEYOWRDS+=(android.content.Intent) # Common
+KEYWORDS+=(startActivity)
+KEYWORDS+=(startActivities)
+KEYWORDS+=(startBroadcast)
+KEYWORDS+=(sendBroadcast)
+KEYWORDS+=(sendOrderedBroadcast)
+KEYWORDS+=(startService)
+KEYWORDS+=(bindService)
+KEYWORDS+=(android.app.PendingIntent)
+KEYWORDS+=(ActivityHandlerHelper.startIntentAndCatch)
+KEYWORDS+=(AppLinksInterceptor)
+KEYWORDS+=(AppLinksUseCases)
+
+cd $REPO_DIR
+#function join_by { local d=$1; shift; local f=$1; shift; printf %s "$f" "${@/#/ $d}"; }
+#GREP_LINE="$(join_by -G ${KEYWORDS[@]})"
+
+base=`git merge-base ${OLD} ${NEW}`
+
+#if [ ! -f "release-${OLD}-${NEW}.diff" ];
+if [ ! -f "release-${base}-${NEW}.diff" ];
+then
+  #echo "Diffing release-${OLD}-${NEW}.diff"
+  echo "Diffing release-${base}-${NEW}.diff"
+  #git diff --color=always --color-moved origin/$OLD origin/$NEW -U20 > release-${OLD}-${NEW}.diff
+  git diff --color=always --color-moved $base $NEW -U20 > release-${base}-${NEW}.diff
+  #git diff --color=always --color-moved -G${GREP_LINE} $OLD $NEW -U20 > release-${OLD}-${NEW}-G.diff
+fi
+
+echo "Done with diff"
+
+function join_by { local d=$1; shift; local f=$1; shift; printf %s "$f" "${@/#/$d}"; }
+
+GREP_LINE="$(join_by | ${KEYWORDS[@]})"
+#GREP_LINE="+++ |$(join_by | ${KEYWORDS[@]})"
+
+export GREP_COLOR="05;37;41"
+
+# XXX: Arg this sometimes misses file context 
+egrep -A40 -B40 --color=always "${GREP_LINE}" release-${base}-${NEW}.diff > keywords-${base}-${NEW}-$SCOPE.diff
+
+echo "Diff generated. View it with:"
+echo "  less -R $REPO_DIR/keywords-$base-$NEW-$SCOPE.diff"

    