-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add SES experiment toggle (iOS) #8373
Conversation
- add NPM module - update Yarn lockfile - update CocoaPods lockfile
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #8373 +/- ##
==========================================
+ Coverage 40.60% 40.62% +0.01%
==========================================
Files 1239 1239
Lines 29978 29989 +11
Branches 2868 2870 +2
==========================================
+ Hits 12174 12182 +8
- Misses 17107 17109 +2
- Partials 697 698 +1 ☔ View full report in Codecov by Sentry. |
@gauthierpetetin @Cal-L Can you take a look at this contribution to make sure it aligns with our platform for a product perspective? @leotm Is there a more descriptive Header and content we can add so users and understand? Maybe something like Lockdown - This feature prevents dynamic modification of JavaScript running in the application. |
Hi @sethkfman , sorry I only see this now. I think end users won't understand the feature in its current form. I'll setup a meeting with @yanrong-chen @coreyjanssen @leotm and @hesterbruikman to discuss how we could present it. |
017066e
to
75d8c02
Compare
- refactor to callbacks - refactor booleans to strings - refactor conditions - DefaultPreference working in settings menu only Blocker: DefaultPreference.get value remains undefined called at Initializecore
This reverts commit ea5674c.
@sethkfman i refactored to replace mmkv with default-preference ea5674c |
E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/7161d54a-73e6-4e27-aa77-f1e084500449 ios_e2e_build ✅
test locally and re-run
|
E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/6cae41a9-ae95-49d0-8e58-8fec25000b9a ios_e2e_build ✅ run_smoke_e2e_ios_android_stage ❌
https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/2c926904-9ef9-4e82-b7cd-5f3652ce10b6 ios_e2e_build ✅ run_smoke_e2e_ios_android_stage ✅ |
@leotm SES must be on by default. the toggle is a safety valve. @sethkfman SES is on by default in the RC. You wanted the toggle. There's not a lot of review activity here and RC is cut. Is this not going in then? |
@naugtur IMO we should not release SES without a toggle to disable. My understanding is that conventional dapp use will not break, but we can't possibly test for all dapp use cases and so users need to be able to turn this feature off. Is there a reason this PR is in draft? If SES is already in 7.16.0 RC I imagine we want to add merge and add this PR asap.
|
agreed would be ideal, been pushing to get this merged last week prior our Thurs RC cut (extended to Fri) i converted this PR to draft only now, to make the change of SES enabled by default (instead of disabled)
last Fri we agreed the Learn more link to be this above (see screenshot), who else should i speak to (on docs team) to clarify this is ok? RE translations i checked with @tommasini last week, i've understood we usually do translations in a separate PR |
E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/626c71dd-b9ce-44b0-b622-4a1d214e733e |
Thanks @leotm ! And apologies, hadn't noticed the link for Learn more. Can you please explain the trade-off in enabling this feature? I'd like to understand if we can treat the toggle as a temporary Experimental fallback, in case of unforeseen issues. Or if long-term there might always be end-user use cases to disable the feature under Advanced. In case of the latter we can reach out to the documentation team to create Knowledge Base content. |
np! if by feature we mean this toggle for SES, the trade-off: our users might disable SES (reduce security), in the hopes of fixing an edge case of functionality (not yet covered by our tests) or if by feature we mean SES, the trade-off: better security, at the compromise of possibly encountering an edge case of functionality not working as expected (i.e. discovery of a library we're using that calls non-standard JS)
exactly the toggle is a temp Experimental fallback, long-term we want SES enabled indefinitely (like in mm-extension) for better security (permanently prevent prototype pollution - now that's a tongue twister), then ofc run LavaMoat (which runs on SES) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
## **Description** Update SES lockdown options to improve error stacks Set error taming to unsafe - make error stacks also available by the error instance stack - preserve error stack filtered content - like we [do](https://github.com/MetaMask/metamask-extension/blob/develop/app/scripts/lockdown-run.js#L6) in metamask-extension Set stack filtering to verbose - show full raw error info for each deep stack level - preserve _noise_ that the (default) `concise` option was removing Follow-up to - #8033 Ref: https://github.com/endojs/endo/blob/master/packages/ses/docs/reference.md#options-quick-reference Nb: we're looking into a lockdown/repairIntrinsics option to disable touching errors entirely (for cases like ours involving React Native surfacing JS/Android/iOS errors, then later newer engine Hermes) ## **Related issues** - note: #8352 ## **Manual testing steps** Local testing in debug-mode: - Update [InitializeCore](https://github.com/MetaMask/metamask-mobile/blob/main/patches/react-native%2B0.71.15.patch#L13) to enable SES in debug/dev mode - Trigger an error somewhere in the app - `new Error('test')` - `Sentry.captureException(new Error('test'))` - Check simulator - ensure original error preserved in call stack - ensure tapping error redirects to source code - Check Sentry event - ensure original error preserved in call stack But note above we're looking into a better lockdown option for React Native debug-mode, since we disabled SES in debug-mode [earlier](#7924) from React Devtools interfering Production testing: After we merge #8373, we'll be able to ft toggle lockdown via our in-app settings menu, which will persist the choice and apply after the app has been rebooted ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [x] I’ve followed [MetaMask Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've clearly explained what problem this PR is solving and how it is solved. - [x] I've linked related issues - [x] I've included manual testing steps - [x] I've included screenshots/recordings if applicable - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [x] I’ve properly set the pull request status: - [x] In case it's not yet "ready for review", I've set it to "draft". - [x] In case it's "ready for review", I've changed it from "draft" to "non-draft". ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.
E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/977b8808-bfd5-4a59-ab1c-fc31e0bc5c57 |
## **Description** Update SES lockdown options to improve error stacks Set error taming to unsafe - make error stacks also available by the error instance stack - preserve error stack filtered content - like we [do](https://github.com/MetaMask/metamask-extension/blob/develop/app/scripts/lockdown-run.js#L6) in metamask-extension Set stack filtering to verbose - show full raw error info for each deep stack level - preserve _noise_ that the (default) `concise` option was removing Follow-up to - #8033 Ref: https://github.com/endojs/endo/blob/master/packages/ses/docs/reference.md#options-quick-reference Nb: we're looking into a lockdown/repairIntrinsics option to disable touching errors entirely (for cases like ours involving React Native surfacing JS/Android/iOS errors, then later newer engine Hermes) ## **Related issues** - note: #8352 ## **Manual testing steps** Local testing in debug-mode: - Update [InitializeCore](https://github.com/MetaMask/metamask-mobile/blob/main/patches/react-native%2B0.71.15.patch#L13) to enable SES in debug/dev mode - Trigger an error somewhere in the app - `new Error('test')` - `Sentry.captureException(new Error('test'))` - Check simulator - ensure original error preserved in call stack - ensure tapping error redirects to source code - Check Sentry event - ensure original error preserved in call stack But note above we're looking into a better lockdown option for React Native debug-mode, since we disabled SES in debug-mode [earlier](#7924) from React Devtools interfering Production testing: After we merge #8373, we'll be able to ft toggle lockdown via our in-app settings menu, which will persist the choice and apply after the app has been rebooted ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [x] I’ve followed [MetaMask Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've clearly explained what problem this PR is solving and how it is solved. - [x] I've linked related issues - [x] I've included manual testing steps - [x] I've included screenshots/recordings if applicable - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [x] I’ve properly set the pull request status: - [x] In case it's not yet "ready for review", I've set it to "draft". - [x] In case it's "ready for review", I've changed it from "draft" to "non-draft". ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.
Just to conclude on this: I don't think we need further |
Quality Gate passedThe SonarCloud Quality Gate passed, but some issues were introduced. 1 New issue |
Description
A feature toggle for SES, within our settings menu under experiments, enabled by default
TODO
react-native-mmkv
replacereact-native-mmkv
withreact-native-default-preference
consider content revision to include Hardened JS and SES (Secure EcmaScript) termsRelated issues
Fixes: partially mitigates rollout risk
Follow-up to
Manual testing steps
iOS
Android
Screenshots/Recordings
Previous MVP video (old UI) demo showing the behaviour, a simple settings menu ft toggle that persists, enabling/disabling lockdown upon app reboot, on iOS only
Android remains unchanged (Blockaid disabled, Blockaid enabled)
Before
Blockaid ft disabled
Blockaid ft enabled
After
Blockaid ft disabled
Blockaid ft enabled
Navigating to Learn more
Pre-merge author checklist
Pre-merge reviewer checklist