Verified Commit 2d8705e6 authored by Georg Koppen's avatar Georg Koppen
Browse files

Merge remote-tracking branch 'gitlab/merge-requests/26'

parents 82aa1632 6735a8b4
`git diff esrA esrB` and then go over all the changes containing the
below mentioned potentially dangerous calls and features. Grep the diff for
the following strings and examine surrounding usage.
============ General =============
=============== Native DNS Portion =============
The audit begins at the commit hash where the previous audit ended. Use
code_audit.sh for creating the diff and highlighting potentially problematic
code. The audit is scoped to a specific language (currently C/C++, Rust,
Java/Kotlin, and Javascript).
PR_GetHostByName
PR_GetIPNodeByName
PR_GetAddrInfoByName
PR_StringToNetAddr (itself is good as it passes AI_NUMERICHOST to getaddrinfo. No resolution.)
The output includes the entire patch where the new problematic code was
introduced. Search for "XXX MATCH XXX" to find the next potential violation.
MDNS
TRR (DNS Trusted Recursive Resolver)
code_audit.sh contains the list of known problematic APIs. New usage of these
functions are documented and analyzed in this audit.
Direct Paths to DNS resolution:
nsDNSService::Resolve
nsDNSService::AsyncResolve
nsHostResolver::ResolveHost
============ Firefox General Portion =============
============ Misc Socket Portion ==============
Start: ${previous_base_commit_hash} # ${prev_tag}
End: ${next_base_commit_hash} # ${next_tag}
SOCK_
SOCKET_
_SOCKET
UDPSocket
TCPSocket
PR_NewTCPSocket
AsyncTCPSocket
============ Application Services Portion =============
Misc PR_Socket
Start: ${previous_base_commit_hash} # ${prev_tag}
End: ${next_base_commit_hash} # ${next_tag}
=========== Misc XPCOM Portion ================
============ Android Components Portion =============
Misc XPCOM (including commands for pre-diff review approach)
*SocketProvider
grep -R udp-socket .
grep -R tcp-socket .
grep for tcpsocket
grep -R "NS_" | grep SOCKET | grep "_C"
grep -R "@mozilla.org/network/" . | grep socket | grep -v udp-socket
Start: ${previous_base_commit_hash} # ${prev_tag}
End: ${next_base_commit_hash} # ${next_tag}
============ Rust Portion ================
============ Fenix Portion =============
Rust
- XXX: What do we grep for here? Or do we rely on Ritter's compile-time tool?
- Check for new sendmsg and recvmsg usage
============ Android Portion =============
Android Java calls
- URLConnection
- XXX: getInputStream? other methods?
- HttpURLConnection
- UrlConnectionDownloader
- ch.boye.httpclientandroidlib.impl.client.* (look for execute() calls)
- grep -n openConnection\( mobile/android/thirdparty/
- java.net.URL -- has SEVERAL proxy bypass URL fetching methods :/
- java.net
- javax.net
- ch.boye.httpclientandroidlib.conn.* (esp ssl)
- ch.boye.httpclientandroidlib.impl.conn.* (esp ssl)
- Sudden appearance of thirdparty libs:
- OkHttp
- Retrofit
- Glide
- com.amitshekhar.android
- IntentHelper
- openUriExternal (can come from GeckoAppShell too)
- getHandlersForMimeType
- getHandlersForURL
- getHandlersForIntent
- android.content.Intent - too common; instead find launch methods:
- startActivity
- startActivities
- sendBroadcast
- sendOrderedBroadcast
- startService
- bindService
- android.app.PendingIntent
- android.app.DownloadManager
- ActivityHandlerHelper.startIntentAndCatch
Start: ${previous_base_commit_hash} # ${prev_tag}
End: ${next_base_commit_hash} # ${next_tag}
============ Regression/Prior Vuln Review =========
Review proxy bypass bugs; check for new vectors to look for:
- https://trac.torproject.org/projects/tor/query?keywords=~tbb-proxy
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
#!/bin/bash -e
if [ $# -ne 4 ]; then
echo "usage: <path/to/repo> <lang> <old commit> <new commit>"
exit 1
fi
REPO_DIR=$1
SCOPE=$2
OLD=$3
NEW=$4
declare -a KEYWORDS
#KEYWORDS+=('\+\+\+\ ')
initialize_java_symbols() {
# URL access
KEYWORDS+=(URLConnection)
KEYWORDS+=(UrlConnectionDownloader)
# Proxy settings
KEYWORDS+=(ProxySelector)
# Android and java networking and 3rd party libs
KEYWORDS+=("openConnection\(")
KEYWORDS+=("java.net")
KEYWORDS+=("javax.net")
KEYWORDS+=(android.net)
KEYWORDS+=(android.webkit)
# Third Party http libs
KEYWORDS+=(ch.boye.httpclientandroidlib.impl.client)
KEYWORDS+=(okhttp)
# Intents
KEYWORDS+=(IntentHelper)
KEYWORDS+=(openUriExternal)
KEYWORDS+=(getHandlersForMimeType)
KEYWORDS+=(getHandlersForURL)
KEYWORDS+=(getHandlersForIntent)
# KEYOWRDS+=(android.content.Intent) # Common
KEYWORDS+=(startActivity)
KEYWORDS+=(startActivities)
KEYWORDS+=(startBroadcast)
KEYWORDS+=(sendBroadcast)
KEYWORDS+=(sendOrderedBroadcast)
KEYWORDS+=(startService)
KEYWORDS+=(bindService)
KEYWORDS+=(android.app.PendingIntent)
KEYWORDS+=(ActivityHandlerHelper.startIntentAndCatch)
KEYWORDS+=(AppLinksInterceptor)
KEYWORDS+=(AppLinksUseCases)
KEYWORDS+=(ActivityDelegate)
}
initialize_rust_symbols() {
KEYWORDS+=("connect\(")
KEYWORDS+=("recvmsg\(")
KEYWORDS+=("sendmsg\(")
KEYWORDS+=("::post\(")
KEYWORDS+=("::get\(")
}
initialize_cpp_symbols() {
KEYWORDS+=("PR_GetHostByName")
KEYWORDS+=("PR_GetIPNodeByName")
KEYWORDS+=("PR_GetAddrInfoByName")
KEYWORDS+=("PR_StringToNetAddr")
KEYWORDS+=("MDNS")
KEYWORDS+=("mDNS")
KEYWORDS+=("mdns")
KEYWORDS+=("TRR")
KEYWORDS+=("trr")
KEYWORDS+=("AsyncResolve")
KEYWORDS+=("asyncResolve")
KEYWORDS+=("ResolveHost")
KEYWORDS+=("resolveHost")
KEYWORDS+=("SOCK_")
KEYWORDS+=("SOCKET_")
KEYWORDS+=("_SOCKET")
KEYWORDS+=("UDPSocket")
KEYWORDS+=("TCPSocket")
KEYWORDS+=("PR_Socket")
KEYWORDS+=("SocketProvider")
KEYWORDS+=("udp-socket")
KEYWORDS+=("tcp-socket")
KEYWORDS+=("tcpsocket")
KEYWORDS+=("SOCKET")
KEYWORDS+=("mozilla.org/network")
}
initialize_js_symbols() {
KEYWORDS+=("AsyncResolve\(")
KEYWORDS+=("asyncResolve\(")
KEYWORDS+=("ResolveHost\(")
KEYWORDS+=("resolveHost\(")
KEYWORDS+=("udp-socket")
KEYWORDS+=("udpsocket")
KEYWORDS+=("tcp-socket")
KEYWORDS+=("tcpsocket")
KEYWORDS+=("SOCKET")
KEYWORDS+=("mozilla.org/network")
}
# Step 1: Initialize scope of audit
EXT=
case "${SCOPE}" in
"java" | "kt" | "java-kt" )
EXT="java kt"
SCOPE="java-kt"
initialize_java_symbols
;;
"c-cpp" | "c-cxx" | "c" | "cxx" | "cpp" )
EXT="c cpp h cxx hpp hxx"
SCOPE="c-cpp"
initialize_cpp_symbols
;;
"rust" )
EXT="rs"
initialize_rust_symbols
;;
"js" )
EXT="js jsm"
initialize_js_symbols
;;
* )
echo "requested language not recognized"
exit 1
;;
esac
cd "$REPO_DIR"
# Step 2: Generate match pattern based on in-scope keywords
function join_by { local d=$1; shift; local f=$1; shift; printf %s "$f" "${@/#/$d}"; }
GREP_LINE="$(join_by \| "${KEYWORDS[@]}")"
# Step 3: Obtain patches for all in-scope files where a keyword is present
declare -a path
for ext in ${EXT}; do
path+=("*.${ext}")
done
echo "Diffing patches-${OLD}-${NEW}-${SCOPE}.diff from all ${path[*]} files"
# Exclude Deleted and Unmerged files from diff
DIFF_FILTER=ACMRTXB
git diff --color=always --color-moved --diff-filter="${DIFF_FILTER}" -U20 -G"${GREP_LINE}" "$OLD" "$NEW" -- "${path[@]}" > "patches-${OLD}-${NEW}-${SCOPE}.diff"
# Step 4: Highlight the keyword with an annoying, flashing color
export GREP_COLOR="05;37;41"
# Capture the entire file and/or overlap with the previous match, add GREP_COLOR highlighting
grep -A10000 -B10000 --color=always -E "${GREP_LINE}" "patches-${OLD}-${NEW}-${SCOPE}.diff" > "keywords-$OLD-$NEW-$SCOPE.diff"
# Add a 'XXX MATCH XXX' at the end of each matched line, easily searchable.
sed -i 's/\(\x1b\[05;37;41.*\)/\1 XXX MATCH XXX/' "keywords-$OLD-$NEW-$SCOPE.diff"
# Step 5: Review the code changes
echo "Diff generated. View it with:"
echo " less -R $REPO_DIR/keywords-$OLD-$NEW-$SCOPE.diff"
#!/bin/bash -e
if [ $# -ne 3 ]; then
echo "usage: <path/to/repo> <old commit> <new commit>"
exit 1
fi
REPO_DIR=$1
OLD=$2
NEW=$3
SCOPE="java" # string: this is the java audit
declare -a KEYWORDS
#KEYWORDS+=('\+\+\+\ ')
# URL access
KEYWORDS+=(URLConnection)
KEYWORDS+=(UrlConnectionDownloader)
# Proxy settings
KEYWORDS+=(ProxySelector)
# Android and java networking and 3rd party libs
KEYWORDS+=("openConnection\(")
KEYWORDS+=("java.net")
KEYWORDS+=("javax.net")
KEYWORDS+=(android.net)
KEYWORDS+=(android.webkit)
# Third Party http libs
KEYWORDS+=(ch.boye.httpclientandroidlib.impl.client)
KEYWORDS+=(okhttp)
# Intents
KEYWORDS+=(IntentHelper)
KEYWORDS+=(openUriExternal)
KEYWORDS+=(getHandlersForMimeType)
KEYWORDS+=(getHandlersForURL)
KEYWORDS+=(getHandlersForIntent)
# KEYOWRDS+=(android.content.Intent) # Common
KEYWORDS+=(startActivity)
KEYWORDS+=(startActivities)
KEYWORDS+=(startBroadcast)
KEYWORDS+=(sendBroadcast)
KEYWORDS+=(sendOrderedBroadcast)
KEYWORDS+=(startService)
KEYWORDS+=(bindService)
KEYWORDS+=(android.app.PendingIntent)
KEYWORDS+=(ActivityHandlerHelper.startIntentAndCatch)
KEYWORDS+=(AppLinksInterceptor)
KEYWORDS+=(AppLinksUseCases)
# Rust symbols
KEYWORDS+=("connect\(")
KEYWORDS+=("recvmsg\(")
KEYWORDS+=("sendmsg\(")
KEYWORDS+=("::post\(")
KEYWORDS+=("::get\(")
cd $REPO_DIR
#function join_by { local d=$1; shift; local f=$1; shift; printf %s "$f" "${@/#/ $d}"; }
#GREP_LINE="$(join_by \-G ${KEYWORDS[@]})"
#base=`git merge-base ${OLD} ${NEW}`
if [ ! -f "release-${OLD}-${NEW}.diff" ];
#if [ ! -f "release-${base}-${NEW}.diff" ];
then
echo "Diffing release-${OLD}-${NEW}.diff"
#echo "Diffing release-${base}-${NEW}.diff"
git diff --color=always --color-moved $OLD $NEW -U20 > release-${OLD}-${NEW}.diff
#git diff --color=always --color-moved $base $NEW -U20 > release-${base}-${NEW}.diff
#git diff --color=always --color-moved -G${GREP_LINE} $OLD $NEW -U20 > release-${OLD}-${NEW}-G.diff
fi
echo "Done with diff"
function join_by { local d=$1; shift; local f=$1; shift; printf %s "$f" "${@/#/$d}"; }
GREP_LINE="$(join_by \| ${KEYWORDS[@]})"
#GREP_LINE="\+\+\+ |$(join_by \| ${KEYWORDS[@]})"
export GREP_COLOR="05;37;41"
# XXX: Arg this sometimes misses file context
#egrep -A40 -B40 --color=always "${GREP_LINE}" release-${base}-${NEW}.diff > keywords-${base}-${NEW}-$SCOPE.diff
egrep -A40 -B40 --color=always "${GREP_LINE}" release-${OLD}-${NEW}.diff > keywords-${OLD}-${NEW}-$SCOPE.diff
echo "Diff generated. View it with:"
#echo " less -R $REPO_DIR/keywords-$base-$NEW-$SCOPE.diff"
echo " less -R $REPO_DIR/keywords-$OLD-$NEW-$SCOPE.diff"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment