From 8daa8eb5b2bb9625f0d39656f0ac1bbf7b6bd2b9 Mon Sep 17 00:00:00 2001 From: Dan Finlay Date: Wed, 30 Sep 2020 09:31:21 -0700 Subject: [PATCH] Freeze JS environment with SES Now that SES supports node v10, we can use its lockdown function. This will prevent the mutation of global primordials, which are a significant vector for supply chain attacks. --- app/scripts/lib/freezeGlobals.js | 36 ++------------------------------ package.json | 2 +- yarn.lock | 29 ++++++++++++++++++++----- 3 files changed, 27 insertions(+), 40 deletions(-) diff --git a/app/scripts/lib/freezeGlobals.js b/app/scripts/lib/freezeGlobals.js index b17a84781523..9d139cb4bad2 100644 --- a/app/scripts/lib/freezeGlobals.js +++ b/app/scripts/lib/freezeGlobals.js @@ -1,41 +1,9 @@ - -/** - * Freezes the Promise global and prevents its reassignment. - */ -import deepFreeze from 'deep-freeze-strict' +import 'ses'; if ( process.env.IN_TEST !== 'true' && process.env.METAMASK_ENV !== 'test' ) { - freeze(global, 'Promise') + lockdown(); } -/** - * Makes a key:value pair on a target object immutable, with limitations. - * The key cannot be reassigned or deleted, and the value is recursively frozen - * using Object.freeze. - * - * Because of JavaScript language limitations, this is does not mean that the - * value is completely immutable. It is, however, better than nothing. - * - * @param {Object} target - The target object to freeze a property on. - * @param {string} key - The key to freeze. - * @param {any} [value] - The value to freeze, if different from the existing value on the target. - * @param {boolean} [enumerable=true] - If given a value, whether the property is enumerable. - */ -function freeze (target, key, value, enumerable = true) { - - const opts = { - configurable: false, writable: false, - } - - if (value === undefined) { - target[key] = deepFreeze(target[key]) - } else { - opts.value = deepFreeze(value) - opts.enumerable = enumerable - } - - Object.defineProperty(target, key, opts) -} diff --git a/package.json b/package.json index 5e6977d1f5a7..4b0910e7aa2c 100644 --- a/package.json +++ b/package.json @@ -93,7 +93,6 @@ "currency-formatter": "^1.4.2", "d3": "^5.15.0", "debounce-stream": "^2.0.0", - "deep-freeze-strict": "1.1.1", "dnode": "^1.2.2", "end-of-stream": "^1.4.4", "eth-block-tracker": "^4.4.2", @@ -164,6 +163,7 @@ "rpc-cap": "^3.2.0", "safe-event-emitter": "^1.0.1", "safe-json-stringify": "^1.2.0", + "ses": "^0.10.4", "single-call-balance-checker-abi": "^1.0.0", "swappable-obj-proxy": "^1.1.0", "textarea-caret": "^3.0.1", diff --git a/yarn.lock b/yarn.lock index f3a8588006bf..5663284faab7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -47,6 +47,21 @@ did-resolver "0.0.6" ipfs-did-document "^1.2.3" +"@agoric/babel-standalone@^7.9.5": + version "7.9.5" + resolved "https://registry.yarnpkg.com/@agoric/babel-standalone/-/babel-standalone-7.9.5.tgz#1ca0c17844924199d31e49d6b67e8b2a629b8599" + integrity sha512-1Aa23oPuRi4kywUyZODo8zey9Gq2NpD2xUnNvgJLoT8orMQRlVOtvbG3JeHq5sjJERlF/q6csg4/P8t8/5IABA== + +"@agoric/make-hardener@^0.1.0": + version "0.1.1" + resolved "https://registry.yarnpkg.com/@agoric/make-hardener/-/make-hardener-0.1.1.tgz#9b887da47aeec6637d9db4f0a92a4e740b8262bb" + integrity sha512-3emNc+yWJoFK5JMLoEFPs6rCzkntWQKxpR4gt3jaZYLKoUG4LrTmID3XNe8y40B6SJ3k/wLPodKa0ToQGlhrwQ== + +"@agoric/transform-module@^0.4.1": + version "0.4.1" + resolved "https://registry.yarnpkg.com/@agoric/transform-module/-/transform-module-0.4.1.tgz#9fb152364faf372e1bda535cb4ef89717724f57c" + integrity sha512-4TJJHXeXAWu1FCA7yXCAZmhBNoGTB/BEAe2pv+J2X8W/mJTr9b395OkDCSRMpzvmSshLfBx6wT0D7dqWIWEC1w== + "@babel/code-frame@7.0.0": version "7.0.0" resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.0.0.tgz#06e2ab19bdb535385559aabb5ba59729482800f8" @@ -8696,11 +8711,6 @@ deep-extend@^0.6.0, deep-extend@~0.6.0: resolved "https://registry.yarnpkg.com/deep-extend/-/deep-extend-0.6.0.tgz#c4fa7c95404a17a9c3e8ca7e1537312b736330ac" integrity sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA== -deep-freeze-strict@1.1.1: - version "1.1.1" - resolved "https://registry.yarnpkg.com/deep-freeze-strict/-/deep-freeze-strict-1.1.1.tgz#77d0583ca24a69be4bbd9ac2fae415d55523e5b0" - integrity sha1-d9BYPKJKab5LvZrC+uQV1VUj5bA= - deep-is@^0.1.3, deep-is@~0.1.3: version "0.1.3" resolved "https://registry.yarnpkg.com/deep-is/-/deep-is-0.1.3.tgz#b369d6fb5dbc13eecf524f91b070feedc357cf34" @@ -24140,6 +24150,15 @@ servify@^0.1.12: request "^2.79.0" xhr "^2.3.3" +ses@^0.10.4: + version "0.10.4" + resolved "https://registry.yarnpkg.com/ses/-/ses-0.10.4.tgz#c1eb7235cd5e358679e134b14e4a5c305e3d60e3" + integrity sha512-vavaZvST9GCzz2zooEAXkHpwxeNOLOx8dwcxvS2pw+I9GL0Mhs4337kXnbTNWX10iqFgPVjBu+PQ2CQDOzq74Q== + dependencies: + "@agoric/babel-standalone" "^7.9.5" + "@agoric/make-hardener" "^0.1.0" + "@agoric/transform-module" "^0.4.1" + sesify-tofu@^2.0.4: version "2.0.4" resolved "https://registry.yarnpkg.com/sesify-tofu/-/sesify-tofu-2.0.4.tgz#b31d4c8d67ea2d61e9c5be4948f085a849f3e632"