Harden endowments

[david0xd]

Fixes: #1018

This PR will ensure that each endowment is passed to the SES harden function before exported.

Note: This is not final hardening work. This is one step closer to completing the epic. Half of the work is preparation after researching and identifying a nature of each endowment. Next steps might be continued and followed in the tickets: #1018 and #1017 (if needed).

Attenuated endowments

Each (existing) attenuated endowment located under /src/common/endowments folder inside snaps-execution-environments repository is modified to handle exported functions or objects through harden(). All endowments of this type are tested for their security properties within other endowments in the hardenedEndowments.ava.test.ts.

Common (default javascript) endowments

All endowments* exported as DEFAULT_ENDOWMENTS from snaps-utils are now made as custom and all of them are passed to the harden function before final export.
All endowments are consolidated within buildCommonEndowments function that will provide factories for all of them, after harden is applied to each.

Special endowments

There are two endowments considered as special: ethereum and snap.
It is discovered that hardening of the ethereum endowment also known as EIP-1193 Provider cannot be done in the same place or within the snaps-execution-environments package as it is now, because snaps-controllers package is trying to update it in the process which is causing major failures. Further research is required on this, hence it is proposed that this work continue in the next task allocated in the same epic. Also, these endowments are very specific and encapsulated, hence, additional testing approaches might be required.

Testing

Each endowment security is tested in hardenedEndowments.ava.test.ts. Only AVA test runner is running security related files and testing everything exposed to the functions from SES (harden).

There are four major scenarios applied for testing depending on the type of the endowment:

1. Adding new properties to the endowment should be impossible and result with an error.
2. Changing the prototype of the endowment should be impossible and result with an error.
3. Changing the proto of the endowment should be impossible and result with an error.
4. Search for leak of the global this through object endowments or instances of the constructor functions.

There are three major endowment types identified during the research and testing. These are represented in the table below with test scenarios applied for each.

Endowment type	Add new property (1)	Change prototype (2)	Change __proto__ (3)	Search for global this
function	Yes	Yes	Yes	No
constructor function (class)	Yes	Yes	Yes	Yes (instances)
object	Yes	No	Yes	Yes

Configuration changes

• .c8rc.json - Removed text report for coverage when running AVA tests (coverage report from AVA will not be reported in console independently anymore as it is redundant, merged coverage will be displayed at the end of the process).
• nyc.config.js - New configuration file added. This will enable coverage threshold check after coverage merge process is completed. So this will also enable failure and exit with code 1 when coverage thresholds are not satisfied. It is required because Jest cannot be responsible for the coverage threshold checks as it is only checking its own coverage during its run.
• ava.config.js - Removed concurrency settings since it's the best option for AVA to handle this automatically and by default it will distribute tests according to the availability of CPU cores. The timeout configurations is added and set to 30 seconds. This is required because AVA needs more time to start running, if the timeout is set too low or default, it can cause timeout failure during the test run on the CI pipeline. This does not means that it will use whole 30 seconds, but just how much is needed (part of it). Ava tests are running fine after the run has started. The only issue was the moment when it's loading tests which can take little bit longer and fail before it started.
• jest.config.js - Coverage threshold is removed so the Jest will not be checking it anymore (only merged coverage can be checked at the runtime). Coverage provider is returned to be v8 since AVA is using the same and in order for merge process to work, it is needed to use the same coverage reporter.
• jest.environments.js - Because Jest has problem with running SES, harden function is mocked in the global environment with the function that will just return anything passed to it. This is the only way so far how it can work with harden involved, etc.
• package.json - jest-it-up is removed from usage, because if Jest configuration file is updated with the thresholds, it will then take the responsibility for threshold checks and fail on its own run (it will not use merged coverage, etc.). The merge:coverage command is updated so the merged coverage report will be displayed in the console after it completed testing process. Afterwards, a newly added script update-coverage-thresholds.js will run an update of the new coverage thresholds if required.

List of endowments and their types

Endowment	Type
atob	function
btoa	function
BigInt	constructor
console	object
crypto	object
Date	constructor
Math	object
setTimeout	function
clearTimeout	function
SubtleCrypto	constructor
TextDecoder	constructor
TextEncoder	constructor
URL	constructor
WebAssembly	object
setInterval	function
clearInterval	function
Int8Array	constructor
Uint8Array	constructor
Uint8ClampedArray	constructor
Int16Array	constructor
Uint16Array	constructor
Int32Array	constructor
Uint32Array	constructor
Float32Array	constructor
Float64Array	constructor
BigInt64Array	constructor
BigUint64Array	constructor
DataView	constructor
ArrayBuffer	constructor
AbortController	constructor
AbortSignal	constructor
fetch	function
WebSocket	constructor
ethereum	object
snap	object

Notes about types of endowments:

• function - All hardened in a simple way by applying harden function on them. Special cases such as setTimeout, setInterval, fetch ... are already handled in a wrapped way plus now additionally hardened with harden.
• constructor - All of these are hardened and tested.
• object - All of them are hardened and tested except the ethereum and snap endowment which is still in research process.

Additional notes:
Because of complexity and additional requirements ethereum and snap endowment should be hardened and tested in the other PR.

[codecov-commenter]

Codecov Report

Merging #1058 (ddf5fc7) into main (ef671b0) will decrease coverage by 1.23%.
The diff coverage is 100.00%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##             main    #1058      +/-   ##
==========================================
- Coverage   95.26%   94.04%   -1.23%     
==========================================
  Files         134      137       +3     
  Lines        4289     5644    +1355     
  Branches      729      836     +107     
==========================================
+ Hits         4086     5308    +1222     
- Misses        203      336     +133     

Impacted Files	Coverage Δ
packages/snaps-utils/src/post-process.ts	100.00% <ø> (ø)
...ts/src/common/endowments/commonEndowmentFactory.ts	100.00% <100.00%> (ø)
...ution-environments/src/common/endowments/crypto.ts	100.00% <100.00%> (ø)
...ecution-environments/src/common/endowments/date.ts	100.00% <100.00%> (ø)
...ion-environments/src/common/endowments/interval.ts	100.00% <100.00%> (ø)
...ecution-environments/src/common/endowments/math.ts	100.00% <100.00%> (ø)
...tion-environments/src/common/endowments/network.ts	96.42% <100.00%> (-0.91%)	⬇️
...-environments/src/common/endowments/textDecoder.ts	100.00% <100.00%> (ø)
...-environments/src/common/endowments/textEncoder.ts	100.00% <100.00%> (ø)
...tion-environments/src/common/endowments/timeout.ts	100.00% <100.00%> (+8.62%)	⬆️
... and 20 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[naugtur]

when you rebase main you'll need to harden the new Date endowment too.