hathor-wallet-mobile icon indicating copy to clipboard operation
hathor-wallet-mobile copied to clipboard

Published 20 hours ago verified publisher icon HathorNetwork

feat: lavamoat integration

Open andreabadesso opened this issue 1 year ago • 3 comments

Motivation

We want to defend against supply chain attacks as those kind of attacks have already hit the cryptocurrency ecosystem and present a significant risk for our developers and users of our wallets and apps.

This PR is part of a series of PRs using a set of tools called LavaMoat to improve security on our Javascript projects with a set of good defaults, preventing us from having to rewrite them from scratch

Important: SES is not yet fully compatible with react-native, there is a compatibility tracker issue here

What is not yet supported (that affect us)?

  • [ ] Lockdown for react-native dependencies
  • [ ] Building the app using lavamoat-node
  • [ ] Hermes
  • [ ] Policy generation
  • [ ] allow-list for react-native dependencies

Also, to prevent multiple patches in react-native, we had to inject SES in a patch to react-native's initializeCore method, so it gets loaded before anything else in our bundle

Acceptance Criteria

  • We should be able to defend agains't prototype pollution and poisoning attacks coming from the installed libs and their dependencies by using SES
  • We should have control over which dependencies are able to run postinstall scripts, blocking all the rest by using LavaMoat allow-scripts
  • We should use the hathor-unleash-client instead of the official unleash javascript client, which is a watered-down version of it, with only the features we use
  • We should inject SES as soon as possible, so we should patch react-native to inject it before react-native initialization

Security Checklist

  • [X] Make sure you do not include new dependencies in the project unless strictly necessary and do not include dev-dependencies as production ones. More dependencies increase the possibility of one of them being hijacked and affecting us.

andreabadesso avatar Jan 22 '24 17:01 andreabadesso

Hi. I think we could chat about what we're working on in LavaMoat. Get in touch if you think so too :)

naugtur avatar Feb 06 '24 09:02 naugtur

Hi. I think we could chat about what we're working on in LavaMoat. Get in touch if you think so too :)

Hey @naugtur, thanks for reaching out!

I've just sent you a DM on twitter, please tell me if this is the best way to contact you

andreabadesso avatar Feb 06 '24 14:02 andreabadesso

Update on our progress:

  • we're making changes to SES lockdown that will let it work under Hermes. (Currently only async support is problematic)
  • of you want runtime protections and can switch away from Hermes, any other engine can work. Current release of the webpack plugin is working for web targets. If you use the webpack based build tool from Callstack you could try out lavamoat plugin for webpack. We're planning to test.it ourselves after the work on SES above.

BTW Consider just switching to socketsupply.co

naugtur avatar Apr 12 '24 21:04 naugtur