FF112 Audit

General

The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).

The output includes the entire patch where the new problematic code was introduced. Search for XXX MATCH XXX to find the next potential violation.

code_audit.sh contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.

Firefox: https://github.com/mozilla/gecko-dev.git

• Start: 431cede9cc9472bb648f5dfe24c54d0067c290e4 ( FIREFOX_111_0_1_RELEASE )
• End: 8307d3d3e4bfbca09aaa17e444f106e1e1d91b65 ( FIREFOX_112_0_2_RELEASE )

Languages:

• java
• cpp
• js
• rust

Nothing of interest (using code_audit.sh)

---

Application Services: https://github.com/mozilla/application-services.git

• Start: 9657aebb7450c5b58e8b9a88bec12bd5e9e0f700 ( v97.2.0 )
• End: 48916bbaf585f89fdff3404d181b260ed981a2d6 ( v97.5.0 )

Languages:

• java
• cpp
• js
• rust

Nothing of interest (using code_audit.sh)

Firefox Android: https://github.com/mozilla-mobile/firefox-android.git

• Start: 6b0f9fdb3f603974914de82185cd184065b2ebee
• End: 32bb398127bacccb268a272091d2e62b8d72d6b9

Languages:

• java
• cpp
• js
• rust

Problematic Commits

• Bug 1809305 - Allow user to copy an image to the clipboard (#948) fce0a9aa4f2ac60254dde989ee115252116fe1d7
  • tor-browser#42002 (closed)
  • RESOLUTION nothing to do here, no linkability concern
• Bug 1819431 - Reimplement default browser notification with Nimbus Messaging equivalent (#1031) - 5989841d341f3ca867cdb2581dd06b6ce4d86156
  • tor-browser#42003 (closed)
  • RESOLUTION nothing to do here, nimbus isn't initialised
• Bug 1818015 - Use custom tab to show privacy notice during onboarding 8661a63a378da6c76fede176824e8c8655d9d560
  • tor-browser#42004 (closed)
  • RESOLUTION nothing to do here as we don't use firefox onboarding
• Bug 1816932 - Add Maps to app links common sub domains 84227af1a8d6df8fa28f1f0c44966bf376b94337
  • tor-browser#42005 (closed)
  • RESOLUTION nothing to do here, does not affect us as we don't use firefox's builtin onboarding
• Bug 1817726 - Add Recents url sharing - c2586cba5091402723e4b4aaab7ac357a5e0b707
  • tor-browser#42006 (closed)
  • RESOLUTION Disabled this feature in Tor Browser

Ticket Review

Bugzilla Query: https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=112%20Branch&order=priority%2Cbug_severity&limit=0

Nothing of interest (manual inspection)

Problematic Tickets

• Give user a choice on how open in app works https://bugzilla.mozilla.org/show_bug.cgi?id=1818085

Export

• Export Report and save to tor-browser-spec/audits