[tor-commits] [tor-browser-spec/master] Bug 40017: Add FF88 audit

sysrqb at torproject.org sysrqb at torproject.org
Thu May 13 15:54:49 UTC 2021


commit b89f42cdb5117d082d945816ce132da0499173af
Author: Matthew Finkel <sysrqb at torproject.org>
Date:   Fri Apr 30 22:45:36 2021 +0000

    Bug 40017: Add FF88 audit
---
 audits/FF88_NETWORK_AUDIT | 141 ++++++++++++++++++++++++++++++++++++++++++++++
 audits/code_audit.sh      |   6 +-
 2 files changed, 146 insertions(+), 1 deletion(-)

diff --git a/audits/FF88_NETWORK_AUDIT b/audits/FF88_NETWORK_AUDIT
new file mode 100644
index 0000000..6462aad
--- /dev/null
+++ b/audits/FF88_NETWORK_AUDIT
@@ -0,0 +1,141 @@
+=============== Firefox General =============
+
+Start: 4068febfd76d9ec557591240d7496be42c27c17f # FIREFOX_87_0_BUILD3
+End:   676143236541851e068696fa4528d87a9bb0088d # FIREFOX_88_0_BUILD1
+
+=============== Firefox Native DNS Portion =============
+
+PR_GetHostByName
+PR_GetIPNodeByName
+PR_GetAddrInfoByName
+PR_StringToNetAddr (itself is good as it passes AI_NUMERICHOST to getaddrinfo. No resolution.)
+
+MDNS
+TRR (DNS Trusted Recursive Resolver)
+Direct Paths to DNS resolution:
+nsDNSService::Resolve
+nsDNSService::AsyncResolve
+nsHostResolver::ResolveHost
+
+# FF88: Nothing of interest
+
+============ Firefox Misc Socket Portion ==============
+
+SOCK_
+SOCKET_
+_SOCKET
+
+UDPSocket
+TCPSocket
+  PR_NewTCPSocket
+  AsyncTCPSocket
+
+Misc PR_Socket
+
+# FF88: Nothing of interest
+
+=========== Firefox Misc XPCOM Portion ================
+
+Misc XPCOM (including commands for pre-diff review approach)
+ *SocketProvider
+ grep -R udp-socket .
+ grep -R tcp-socket .
+ grep for tcpsocket
+ grep -R "NS_" | grep SOCKET | grep "_C"
+ grep -R "@mozilla.org/network/" . | grep socket | grep -v udp-socket
+
+# FF88: Nothing of interest
+
+============ Firefox Rust Portion ================
+
+Rust
+
+# FF88: Nothing of interest (using `java_audit.sh`)
+
+============ Firefox Android Portion =============
+
+Android Java calls
+ - URLConnection
+   - XXX: getInputStream? other methods?
+ - HttpURLConnection
+ - UrlConnectionDownloader
+ - ch.boye.httpclientandroidlib.impl.client.* (look for execute() calls)
+ - grep -n openConnection\( mobile/android/thirdparty/
+ - java.net.URL -- has SEVERAL proxy bypass URL fetching methods :/
+ - java.net
+ - javax.net
+ - ch.boye.httpclientandroidlib.conn.* (esp ssl)
+ - ch.boye.httpclientandroidlib.impl.conn.* (esp ssl)
+ - Sudden appearance of thirdparty libs:
+   - OkHttp
+   - Retrofit
+   - Glide
+   - com.amitshekhar.android
+ - IntentHelper
+   - openUriExternal (can come from GeckoAppShell too)
+   - getHandlersForMimeType
+   - getHandlersForURL
+   - getHandlersForIntent
+ - android.content.Intent - too common; instead find launch methods:
+   - startActivity
+   - startActivities
+   - sendBroadcast
+   - sendOrderedBroadcast
+   - startService
+   - bindService
+ - android.app.PendingIntent
+ - android.app.DownloadManager
+ - ActivityHandlerHelper.startIntentAndCatch
+
+# FF88
+# Bug 1694481
+#  - Removes unused code
+
+============ Application Services Portion =============
+
+Start: 1ee6b32f3ee569036fdf1015cf7ffc01ded2860f # v71.0.0
+End:   ad7b64fa03eeeb00815125e635d1fb8809befd40 # v74.0.1
+
+# FF88: Nothing related to networking in Java/Koltlin/Rust code (using `code_audit.sh`)
+
+============ Android Components Portion =============
+
+Start: bea80bbaccc431994a534a087b223563826ac256 # v73.0.11
+End:   e09d8a00b5eae63767d905a74966be301b5dd059 # v74.0.11
+
+# FF88 (using `code_audit.sh`)
+# Issue #9823
+#  - Make users aware that download was not performed because of a denied permission
+#  - Review Result: Safe
+#  - Comments:
+#    - Calls startActivity(), but the target is hard-coded as the Android Settings
+
+# Issue #9757
+#  - Remove downloads notification when private tabs are closed
+#  - Review Result: Safe
+#  - Comment:
+#    - Calls startService(), but the target is hard-coded as the internal Downloads Service
+
+# Issue #9713
+#  - Autofill: Support alternative authentication methods
+#  - Review Result: Conditionally Safe
+#  - Comment:
+#    - Calls startActivityForResult() with an arbitrary target Activity.
+#    - Fenix instantiates the configuration using itself as the target.
+
+============ Fenix Portion =============
+
+Start: 9d91b8eeb9d287ee95937b5edfffde383982267a # v87.0.0-rc.1
+End:   5f98c4ec98d663c763dc4ec5ea84a14cdf342d04 # v88.1.1
+
+# FF88: (using `java_audit.sh`)
+#  - 8856a3c1d769586bfd6daa7b3b2df48fb26f1bc3
+#  - Integrate Android Autofill support into Nightly and debug builds.
+#  - Review Result: Safe (but see fenix#40160)
+
+============ Regression/Prior Vuln Review =========
+
+Review proxy bypass bugs; check for new vectors to look for:
+ - https://trac.torproject.org/projects/tor/query?keywords=~tbb-proxy
+   - Look for new features like these. Especially external app launch vectors
+
diff --git a/audits/code_audit.sh b/audits/code_audit.sh
index c7c0848..d260d15 100755
--- a/audits/code_audit.sh
+++ b/audits/code_audit.sh
@@ -55,6 +55,10 @@ initialize_java_symbols() {
     KEYWORDS+=(ActivityDelegate)
     # Added in FF87 audit
     KEYWORDS+=(AutofillService)
+    # Added in FF88 audit
+    KEYWORDS+=(AutofillConfiguration)
+    KEYWORDS+=(Authenticator)
+    KEYWORDS+=(AutofillUnlockActivity)
 }
 
 initialize_rust_symbols() {
@@ -155,7 +159,7 @@ done
 echo "Diffing patches-${OLD}-${NEW}-${SCOPE}.diff from all ${path[*]} files"
 # Exclude Deleted and Unmerged files from diff
 DIFF_FILTER=ACMRTXB
-git diff --color=always --color-moved --diff-filter="${DIFF_FILTER}" -U20 -G"${GREP_LINE}" "$OLD" "$NEW" -- "${path[@]}" > "patches-${OLD}-${NEW}-${SCOPE}.diff"
+git diff --stat --color=always --color-moved --diff-filter="${DIFF_FILTER}" -U20 -G"${GREP_LINE}" "$OLD" "$NEW" -- "${path[@]}" > "patches-${OLD}-${NEW}-${SCOPE}.diff"
 
 # Step 4: Highlight the keyword with an annoying, flashing color
 export GREP_COLOR="05;37;41"



More information about the tor-commits mailing list