owned this note
owned this note
Published
Linked with GitHub
TODO SECURITY
=============
* Update the following to `wss://` and `https://`
* Change to `wss://` fether-electron/src/main/app/constants/index.js
```
'wss://127.0.0.1:8546',
```
* Change to `https://` `wss://` in fether-electron/src/main/app/utils/csp.js
```
connectSrc: "connect-src https: wss:;",
```
* Change to `wss://` in
```
connectToApi = () => {
// Get the provider, optionally from --ws-interface and --ws-port flags
const [defaultInterface, defaultPort] = ['127.0.0.1', '8546'];
let provider = `wss://${defaultInterface}:${defaultPort}`;
if (ipcRenderer) {
provider = `wss://${wsInterface || defaultInterface}:${wsPort ||
defaultPort}`;
}
```
* Add the following event handlers to fether-electron/src/main/index.js
```
/**
* Security. Insecure TLS Validation - verify the application does not explicitly opt-out
* of TLS validation.
*
* Reference: https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
*/
app.on(
'certificate-error',
(event, webContents, url, error, certificate, callback) => {
// Prevent default behaviour of continuing to load the page
event.preventDefault();
let isValidCertificate = false;
// FIXME - in development environment validate own certificate,
// either self-signed or signed by a local root,
// that has been trusted in the trust store of the OS.
//
// Reference: https://letsencrypt.org/docs/certificates-for-localhost/
if (isValidCertificate) {
callback(true); // eslint-disable-line
} else {
// Disallow insecure (invalid) certificates
callback(false); // eslint-disable-line
}
}
);
// FIXME - uncomment and show how Linux users may create a valid certificate
// and perhaps access it using an environment variable
// /**
// * Security. Verify custom TLS certificates imported into the platform
// * certificate store on Linux.
// *
// * Reference: Page 13 of https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
// */
// if (!['darwin', 'win32'].includes(process.platform)) {
// const options = {
// certificate: CERTIFICATE_PKCS12_FILE_PATH,
// password: CERTIFICATE_PASSPHRASE
// };
// // Reference: https://electronjs.org/docs/all#appimportcertificateoptions-callback-linux
// app.importCertificate(options, importCertificateResult => {
// const isValidCertificate = importCertificateResult === 0;
// return isValidCertificate;
// });
// }
```
* Add Dev Tools as trusted url to packages/fether-electron/src/main/app/constants/index.js
```
'chrome-devtools://devtools/bundled/toolbox.html?remoteBase=https://chrome-devtools-frontend.appspot.com/serve_file/@b216d5f29ba53b9046287cc7de14f9f0759ad091/&can_dock=true&toolbarColor=rgba(223,223,223,1)&textColor=rgba(0,0,0,1)&experiments=true'
```
Otherwise get error in terminal:
```
Unable to open new window with untrusted content url due to new-window listener: chrome-devtools://devtools/bundled/toolbox.html?remoteBase=https://chrome-devtools-frontend.appspot.com/serve_file/@b216d5f29ba53b9046287cc7de14f9f0759ad091/&can_dock=true&toolbarColor=rgba(223,223,223,1)&textColor=rgba(0,0,0,1)&experiments=true
```
* Go through fether-react/src/assets/tokens/kovan.json and change URLs to `https://`, or just download and bundle
* Security testing
* Check that work in `setPermissionRequestHandler` is sufficient for handling session permission requests from remote content to satisfy:
* **Custom Handler** to be created to handle session permission requests from remote content - https://electronjs.org/docs/tutorial/security#4-handle-session-permission-requests-from-remote-content. UPDATE: See `setPermissionRequestHandler`
* Investigate Chromium process sandboxing and potentially OS-level app sandboxing (for Windows, Mac, and Linux). Reference: https://slack.engineering/interops-labyrinth-sharing-code-between-web-electron-apps-f9474d62eccc
* Fix Electron Security and Deprecation Warnings that appear in the browser "Toggle Developer Tools > Console"
* Consider adding the following to fether-electron/src/main/app/methods/setupRequestListeners.js, once we know if we need it?:
```
/**
* Limit specific permissions (i.e. `openExternal`) in response to events from particular origins
* to limit the exploitability of applications that load remote content.
*
* References:
* https://electronjs.org/docs/api/session#sessetpermissionrequesthandlerhandler
* https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
*/
session.defaultSession.setPermissionRequestHandler(
(webContents, permission, callback, details) => {
pino.debug(
`Processing request from ${webContents.getURL()} to open external link to url ${
details.externalURL
} in setPermissionRequestHandler`
);
let permissionGranted = false;
// FIXME - does not work
if (
webContents.getURL() !== 'http://127.0.0.1:3000/' &&
permission === 'openExternal'
) {
if (!TRUSTED_URLS.includes(details.externalURL)) {
pino.info(
'Unable to open external link to untrusted content url due to setPermissionRequestHandler: ',
details.externalURL
);
} else {
permissionGranted = true;
}
return callback(permissionGranted);
} else {
permissionGranted = true;
return callback(permissionGranted);
}
}
);
```
SECURITY
=====
* Check if need to change Parity Ethereum installation directory on Windows like we do in Parity UI Shell parity-js/shell/electron/installers/windows/installer.nsh
* Check (double check) if in `fetchParity` in fether-electron/src/main/app/parityEthereum/index.js, whether we need to do `fsChmod(parityPath(), '755'`, like we do in Parity UI Shell parity-js/shell/electron/operations/fetchParity.js
* Check (double check) if log file is `fsChmod(parityPath(), '755'))` like in Parity UI Shell parity-js/shell/electron/operations/runParity.js
* Check if need to update electron-builder.json with any other config options like in Parity UI Shell parity-js/shell/electron/config.json
* Incorporate practice from Parity UI Shell parity-js/shell/electron/index.js, including: 'did-navigate', 'will-navigate', onBeforeRequest, setPath
* Should we use query string parameters url tokens `?token=` in addition to certificates like parity-js/shell/src/util/token.js. parity-js/shell/src/inject.js
* parity-js/shell/src/secureApi.js
* Parse to check if https in .json file token logo/icon image addresses parity-js/shell/src/util/dapps.js
* What was `FakeTransport` used for parity-js/shell/src/embed.js?
ERRORS
=====
* Check if we should add operations/handleError.js using `.on('error'` like in Parity UI Shell parity-js/shell/electron/operations/handleError.js
* Check if we can use the Error module used in parity-js/shell/src/Application/application.js
NOTIFICATIONS
=====
* Check if can reuse the notifications used in Parity Shell UI such as `FormattedMessage` component. `import { FormattedMessage } from 'react-intl';`
https://github.com/yahoo/react-intl/wiki/Components#formattedmessage
STATUS
======
* Upgrade, Consensus (whether capable from a block no. or incapable since a block no.), Status, BlockNumber, NetPeers, NetChain from: parity-js/shell/src/Status/status.js,
UPGRADE
=====
* See STATUS Consensus
* Retry download if failed as per parity-js/shell/src/util/hashFetch/expoRetry.js
MISC
=====
* What does parity-js/shell/scripts/parity-ui.desktop do? Do we need something similar for Fether?
* Should we use or are we already using a Worker Pool in Fether like we did in Parity UI Shell parity-js/shell/src/api-local/ethkey/workerPool.js
* Show version being used in the UI as per Parity Shell UI `isVersionCorrect` in parity-js/shell/src/Connection/connection.js
* parity-js/shell/webpack/shared.js
* Add tests like in Parity Shell UI parity-js/shell/src/Connection/connection.spec.js to check the token is valid that is used with `setToken`, `validateToken`, etc, in Fether.
* Do we need to add `<meta http-equiv="X-UA-Compatible" content="IE=edge">` to index.html like in Parity Shell UI index.parity.ejs?
* Config and ENV variables - parity-js/shell/webpack/shared.js
* Do we need to change yarn cache period in parity-js/shell/.travis.yml?
* Can we use `transform-react-remove-prop-types` in production like we did in for Parity Shell UI parity-js/shell/babel.config.js to reduce size of binary?
EXTENSION
=====
* Add browser extension similar to used in Parity Shell UI - parity-js/shell/src/Extension/extension.js. `import Store from '@parity/shared/lib/mobx/extensionStore';`. parity-js/shell/src/Signer/utils/extension.js
```
// 'https://chrome.google.com/webstore/detail/parity-ethereum-integrati/himekenlppkgeaoeddcliojfddemadig';
var EXTENSION_PAGE = 'https://chrome.google.com/webstore/detail/himekenlppkgeaoeddcliojfddemadig';
```
parity-js/shell/src/web3.extensions.js.
I18N
=====
* Add German, Netherlands, and Chinese languages like in Parity UI Shell parity-js/shell/i18n
* Reuse the i18n linting script from Parity UI Shell for front-end and back-end of Fether's i18n: parity-js/shell/scripts/lint-i18n.js
* Use `import LS_PREFIX from './utils/lsPrefix';` as used in Fether, and used in Parity Shell UI parity-js/shell/src/api-local/accounts/accounts.js for the Internationalisation Local Storage key
BUG
=====
* Menu doesn't appear when right-click some parts of Fether window per @TBaut
TESTS
=====
* Try to add tests to Fether using sinon spys using light.js. See parity-js/shell/src/ParityBar/parityBar.test.js
* Or for syncing like parity-js/shell/src/SyncWarning/syncWarning.spec.js
* Local storage tests parity-js/shell/src/util/token.spec.js
* Mock RPC parity-js/shell/test/mockRpc.js
STYLES
======
* Check using Semantic UI like this or similar in Fether for different components `import List from 'semantic-ui-react/dist/commonjs/elements/List';`
PATH DIRECTORY
=====
* Use to store icons for WebpackBuilderPlugin parity-js/shell/src/util/host.js
FETCH
=====
* Depending on whether Browser or Node, make .fetch avail - parity-js/shell/src/library.parity.js
PIN
=====
* Pin accounts like we pinned Dapps - parity-js/shell/src/shellMiddleware.js
* Also see how telemetry does it