Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additionally harden common endowments #1018

Closed
david0xd opened this issue Nov 25, 2022 · 1 comment · Fixed by #1058
Closed

Additionally harden common endowments #1018

david0xd opened this issue Nov 25, 2022 · 1 comment · Fixed by #1058
Assignees
@david0xd
Labels
type-security Related to enforcing our security model.

Comments

@david0xd
Copy link
Contributor

david0xd commented Nov 25, 2022
edited
Loading

Previously common (now custom) endowments should be hardened in a more proper way after the first iteration that is followed in this ticket: #1015 (PR: #1058)

This ticket is part of an epic: #585

Constructor functions are target for the hardening in this ticket and are presented in the table below:

Endowment Type
BigInt constructor
Date constructor
SubtleCrypto constructor
TextDecoder constructor
TextEncoder constructor
URL constructor
Int8Array constructor
Uint8Array constructor
Uint8ClampedArray constructor
Int16Array constructor
Uint16Array constructor
Int32Array constructor
Uint32Array constructor
Float32Array constructor
Float64Array constructor
BigInt64Array constructor
BigUint64Array constructor
DataView constructor
ArrayBuffer constructor
AbortController constructor
AbortSignal constructor

Additional hardening methods that should be considered in this work are a proxy or a specific wrapper that will be the outer shell of an instance of a specific class.
@david0xd david0xd added the type-security Related to enforcing our security model. label Nov 25, 2022
@MetaMask MetaMask deleted a comment Nov 30, 2022
@MetaMask MetaMask deleted a comment Nov 30, 2022
@david0xd david0xd mentioned this issue Dec 20, 2022
Merged
@Montoya
Copy link
Collaborator

Montoya commented Dec 21, 2022

Consider using proxies instead of hardening each individual endowment with custom wrappers, and only harden the return if it returns something other than itself.

@david0xd david0xd mentioned this issue Dec 21, 2022
Closed
@david0xd david0xd self-assigned this Jan 10, 2023
@david0xd david0xd mentioned this issue Jan 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@david0xd david0xd

Labels
type-security Related to enforcing our security model.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Harden endowments MetaMask/snaps
2 participants
@Montoya @david0xd