Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use safevalues to fix trusted types issues reported by tsec #8301

Merged
merged 10 commits into from
Jul 16, 2024

Conversation

dlarocque
Copy link
Contributor

@dlarocque dlarocque commented Jun 5, 2024

We recently added tsec in #8285, to report errors where code is vulnerable to XSS. In this PR, we begin resolving some of the reported errors by introducing safevalues and apply it to fix a few of the simpler cases, where URLs must be wrapped in a trustedResourceUrl. For cases that are more complex to solve, I have added FIXME's noting that they must be fixed using the safevalues library.

Testing: I have added assertions to our existing tests to ensure that the scripts' URLs are correctly assigned. For an additional sanity check, I've also created a React app using Firebase with safevalues, and verified that the trustedResourceUrl's in App Check are actually attaching the script to the DOM with the correct URL using the Browser DevTools and just stepping through the code and observing state.

Copy link

changeset-bot bot commented Jun 5, 2024

🦋 Changeset detected

Latest commit: c2bc27a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@firebase/analytics Patch
@firebase/app-check Patch
@firebase/analytics-compat Patch
firebase Patch
@firebase/app-check-compat Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Copy link
Contributor

github-actions bot commented Jun 5, 2024

Changeset File Check ⚠️

  • Warning: This PR modifies files in the following packages but they have not been included in the changeset file:%0A - @firebase/auth%0A - @firebase/database-compat%0A - @firebase/database%0A - @firebase/messaging%0A%0A Make sure this was intentional.

@dlarocque dlarocque requested review from a team as code owners June 5, 2024 21:40
@dlarocque dlarocque force-pushed the dlarocque/safevalues branch from 24d784d to 5606d24 Compare June 5, 2024 21:42
@google-oss-bot
Copy link
Contributor

google-oss-bot commented Jun 5, 2024

Size Report 1

Affected Products

  • @firebase/analytics

    TypeBase (84fe880)Merge (50d088c)Diff
    browser21.8 kB21.3 kB-531 B (-2.4%)
    esm527.0 kB26.6 kB-386 B (-1.4%)
    main28.4 kB28.1 kB-351 B (-1.2%)
    module21.8 kB21.3 kB-531 B (-2.4%)
  • @firebase/app-check

    TypeBase (84fe880)Merge (50d088c)Diff
    browser26.3 kB26.4 kB+64 B (+0.2%)
    esm531.6 kB31.9 kB+348 B (+1.1%)
    main32.8 kB33.2 kB+404 B (+1.2%)
    module26.3 kB26.4 kB+64 B (+0.2%)
  • bundle

    TypeBase (84fe880)Merge (50d088c)Diff
    analytics (logEvent)44.5 kB48.3 kB+3.82 kB (+8.6%)
    app-check (ReCaptchaEnterpriseProvider)39.9 kB44.0 kB+4.09 kB (+10.3%)
    app-check (ReCaptchaV3Provider)39.8 kB43.9 kB+4.09 kB (+10.3%)
  • firebase

    TypeBase (84fe880)Merge (50d088c)Diff
    firebase-analytics-compat.js26.5 kB29.9 kB+3.41 kB (+12.9%)
    firebase-analytics.js29.7 kB33.7 kB+4.01 kB (+13.5%)
    firebase-app-check-compat.js23.4 kB27.0 kB+3.67 kB (+15.7%)
    firebase-app-check.js25.0 kB29.4 kB+4.40 kB (+17.6%)
    firebase-compat.js786 kB789 kB+3.38 kB (+0.4%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/TnhAI6i4vM.html

@google-oss-bot
Copy link
Contributor

google-oss-bot commented Jun 5, 2024

Size Analysis Report 1

Affected Products

  • @firebase/analytics

    • getAnalytics

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.6 kB10.4 kB-190 B (-1.8%)
      size-with-ext-deps44.4 kB48.2 kB+3.82 kB (+8.6%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getAnalytics
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      initializeAnalytics
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getAnalytics
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      initializeAnalytics
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • getGoogleAnalyticsClientId

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.3 kB-190 B (-1.8%)
      size-with-ext-deps37.2 kB41.0 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getGoogleAnalyticsClientId
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      internalGetGoogleAnalyticsClientId
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getGoogleAnalyticsClientId
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      internalGetGoogleAnalyticsClientId
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • initializeAnalytics

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.3 kB-190 B (-1.8%)
      size-with-ext-deps37.5 kB41.3 kB+3.82 kB (+10.2%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      24 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      initializeAnalytics
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      22 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      initializeAnalytics
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • isSupported

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      24 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      isSupported
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      22 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      isSupported
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • logEvent

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.2 kB10.0 kB-190 B (-1.9%)
      size-with-ext-deps37.0 kB40.8 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      23 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      21 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setAnalyticsCollectionEnabled

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setAnalyticsCollectionEnabled
      setAnalyticsCollectionEnabled$1
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setAnalyticsCollectionEnabled
      setAnalyticsCollectionEnabled$1
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setConsent

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
      _setConsentDefaultForInit
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setConsent
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
      _setConsentDefaultForInit
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setConsent
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setCurrentScreen

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.3 kB-190 B (-1.8%)
      size-with-ext-deps37.2 kB41.0 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setCurrentScreen
      setCurrentScreen$1
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setCurrentScreen
      setCurrentScreen$1
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setDefaultEventParameters

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
      _setDefaultEventParametersForInit
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setDefaultEventParameters
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
      _setDefaultEventParametersForInit
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setDefaultEventParameters
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setUserId

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.3 kB-190 B (-1.8%)
      size-with-ext-deps37.2 kB41.0 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setUserId
      setUserId$1
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setUserId
      setUserId$1
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setUserProperties

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.4 kB-190 B (-1.8%)
      size-with-ext-deps37.3 kB41.1 kB+3.82 kB (+10.2%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setUserProperties
      setUserProperties$1
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      setUserProperties
      setUserProperties$1
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • settings

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      24 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      createGtagTrustedTypesScriptURL
      createTrustedTypesPolicy
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      settings
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      22 dependencies

      _initializeAnalytics
      attemptFetchDynamicConfigWithRetry
      factory
      fetchDynamicConfig
      fetchDynamicConfigWithRetry
      findGtagScriptOnPage
      getHeaders
      getOrCreateDataLayer
      gtagOnConfig
      gtagOnEvent
      insertScriptTag
      isRetriableError
      logEvent
      logEvent$1
      promiseAllSettled
      registerAnalytics
      setAbortableTimeout
      settings
      validateIndexedDB
      warnOnBrowserContextMismatch
      wrapGtag
      wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
      - createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

  • @firebase/app-check

    • CustomProvider

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.72 kB7.76 kB+42 B (+0.5%)
    • ReCaptchaEnterpriseProvider

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size11.4 kB11.5 kB+93 B (+0.8%)
      size-with-ext-deps29.7 kB33.8 kB+4.09 kB (+13.8%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      variables

      19 dependencies

      APP_CHECK_NAME
      APP_CHECK_NAME_INTERNAL
      APP_CHECK_STATES
      BASE_ENDPOINT
      DB_NAME
      DB_VERSION
      DEFAULT_STATE
      ERRORS
      ERROR_FACTORY
      EXCHANGE_RECAPTCHA_ENTERPRISE_TOKEN_METHOD
      ONE_DAY
      RECAPTCHA_ENTERPRISE_URL
      STORE_NAME
      TOKEN_REFRESH_TIME
      dbPromise
      defaultTokenErrorData
      logger
      name
      version

      18 dependencies

      APP_CHECK_NAME
      APP_CHECK_NAME_INTERNAL
      APP_CHECK_STATES
      BASE_ENDPOINT
      DB_NAME
      DB_VERSION
      DEFAULT_STATE
      ERRORS
      ERROR_FACTORY
      EXCHANGE_RECAPTCHA_ENTERPRISE_TOKEN_METHOD
      ONE_DAY
      STORE_NAME
      TOKEN_REFRESH_TIME
      dbPromise
      defaultTokenErrorData
      logger
      name
      version

      - RECAPTCHA_ENTERPRISE_URL

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • ReCaptchaV3Provider

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size11.4 kB11.5 kB+93 B (+0.8%)
      size-with-ext-deps29.7 kB33.7 kB+4.09 kB (+13.8%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      variables

      19 dependencies

      APP_CHECK_NAME
      APP_CHECK_NAME_INTERNAL
      APP_CHECK_STATES
      BASE_ENDPOINT
      DB_NAME
      DB_VERSION
      DEFAULT_STATE
      ERRORS
      ERROR_FACTORY
      EXCHANGE_RECAPTCHA_TOKEN_METHOD
      ONE_DAY
      RECAPTCHA_URL
      STORE_NAME
      TOKEN_REFRESH_TIME
      dbPromise
      defaultTokenErrorData
      logger
      name
      version

      18 dependencies

      APP_CHECK_NAME
      APP_CHECK_NAME_INTERNAL
      APP_CHECK_STATES
      BASE_ENDPOINT
      DB_NAME
      DB_VERSION
      DEFAULT_STATE
      ERRORS
      ERROR_FACTORY
      EXCHANGE_RECAPTCHA_TOKEN_METHOD
      ONE_DAY
      STORE_NAME
      TOKEN_REFRESH_TIME
      dbPromise
      defaultTokenErrorData
      logger
      name
      version

      - RECAPTCHA_URL

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • getLimitedUseToken

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.29 kB7.34 kB+42 B (+0.6%)
    • getToken

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.35 kB7.39 kB+42 B (+0.6%)
    • initializeAppCheck

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size11.2 kB11.3 kB+42 B (+0.4%)
    • onTokenChanged

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.44 kB7.49 kB+42 B (+0.6%)
    • setTokenAutoRefreshEnabled

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.44 kB7.48 kB+42 B (+0.6%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/xUDBaDzGW9.html

Copy link
Contributor Author

@dlarocque dlarocque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am confident that our usage of trustedResourceUrl works., but I feel that I need to spend much more time looking into how I can test write and safeServiceWorkerContainer.register, as those seem more complex and issues may not be caught by the tests. Any suggestions on how I can test these two would be very helpful.

packages/messaging/src/helpers/registerDefaultSw.ts Outdated Show resolved Hide resolved
packages/database/src/realtime/BrowserPollConnection.ts Outdated Show resolved Hide resolved
@dlarocque dlarocque marked this pull request as draft June 6, 2024 17:03
@dlarocque dlarocque force-pushed the dlarocque/safevalues branch from 82948f4 to 46a76f7 Compare June 11, 2024 14:57
@dlarocque dlarocque force-pushed the dlarocque/safevalues branch 2 times, most recently from 99eae21 to 7f2f930 Compare July 4, 2024 15:46
@dlarocque dlarocque marked this pull request as ready for review July 5, 2024 14:24
@dlarocque dlarocque force-pushed the dlarocque/safevalues branch from 96fdec2 to b134676 Compare July 11, 2024 19:38
Copy link
Contributor

@hsubox76 hsubox76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I think we can make the FIXMEs into TODOs for easy context for whoever works on the fix, and set up time to work with the product teams on each of the more complicated cases. We can bring this up as an FYI in the biweekly meeting and contributors chat.

@dlarocque dlarocque force-pushed the dlarocque/safevalues branch from 8c42f21 to a073d36 Compare July 15, 2024 14:42
@dlarocque dlarocque merged commit f58d48c into master Jul 16, 2024
43 checks passed
@dlarocque dlarocque deleted the dlarocque/safevalues branch July 16, 2024 14:55
@google-oss-bot google-oss-bot mentioned this pull request Jul 16, 2024
@nicole0707
Copy link

Hi team, we are upgrading Firebase sdk to 10.12.4 and encountered some issues in our unit tests. Could you please help us to resolve them? Thanks

    TypeError: 
        ############################## ERROR ##############################

        It looks like you are trying to call a template tag function (fn`...`)
        using the normal function syntax (fn(...)), which is not supported.

        The functions in the safevalues library are not designed to be called
        like normal functions, and doing so invalidates the security guarantees
        that safevalues provides.

        If you are stuck and not sure how to proceed, please reach out to us
        instead through:
         - https://github.com/google/safevalues/issues

        ############################## ERROR ##############################

      30 |     const appCheckProvider = new ReCaptchaEnterpriseProvider(siteKey);
      31 |
    > 32 |     const appCheck = initializeAppCheck(firebaseApp, {
         |                                        ^
      33 |       provider: appCheckProvider,
      34 |       isTokenAutoRefreshEnabled: true,
      35 |     });

      at assertIsTemplateObject (../../node_modules/.pnpm/safevalues@0.6.0/node_modules/safevalues/dist/cjs/internals/string_literal.js:19:15)
      at Object.trustedResourceUrl (../../node_modules/.pnpm/safevalues@0.6.0/node_modules/safevalues/dist/cjs/builders/resource_url_builders.js:162:56)
      at trustedResourceUrl (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/recaptcha.ts:186:5)
      at initializeEnterprise (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/recaptcha.ts:72:5)
      at ReCaptchaEnterpriseProvider.initializeRecaptchaEnterprise [as initialize] (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/providers.ts:209:5)
      at _activate (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/api.ts:160:18)
      at initializeAppCheck (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/api.ts:106:3)
      at src/app-check/app-check.tsx:32:40
      at apply (../utils/src/memo.tsx:41:29)
      at getAppCheckToken (src/app-check/app-check-token.tsx:23:53)
      at Object.<anonymous> (src/app-check/app-check-token.test.tsx:92:36)

@dlarocque
Copy link
Contributor Author

dlarocque commented Jul 22, 2024

Hi team, we are upgrading Firebase sdk to 10.12.4 and encountered some issues in our unit tests. Could you please help us to resolve them? Thanks

    TypeError: 
        ############################## ERROR ##############################

        It looks like you are trying to call a template tag function (fn`...`)
        using the normal function syntax (fn(...)), which is not supported.

        The functions in the safevalues library are not designed to be called
        like normal functions, and doing so invalidates the security guarantees
        that safevalues provides.

        If you are stuck and not sure how to proceed, please reach out to us
        instead through:
         - https://github.com/google/safevalues/issues

        ############################## ERROR ##############################

      30 |     const appCheckProvider = new ReCaptchaEnterpriseProvider(siteKey);
      31 |
    > 32 |     const appCheck = initializeAppCheck(firebaseApp, {
         |                                        ^
      33 |       provider: appCheckProvider,
      34 |       isTokenAutoRefreshEnabled: true,
      35 |     });

      at assertIsTemplateObject (../../node_modules/.pnpm/safevalues@0.6.0/node_modules/safevalues/dist/cjs/internals/string_literal.js:19:15)
      at Object.trustedResourceUrl (../../node_modules/.pnpm/safevalues@0.6.0/node_modules/safevalues/dist/cjs/builders/resource_url_builders.js:162:56)
      at trustedResourceUrl (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/recaptcha.ts:186:5)
      at initializeEnterprise (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/recaptcha.ts:72:5)
      at ReCaptchaEnterpriseProvider.initializeRecaptchaEnterprise [as initialize] (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/providers.ts:209:5)
      at _activate (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/api.ts:160:18)
      at initializeAppCheck (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/api.ts:106:3)
      at src/app-check/app-check.tsx:32:40
      at apply (../utils/src/memo.tsx:41:29)
      at getAppCheckToken (src/app-check/app-check-token.tsx:23:53)
      at Object.<anonymous> (src/app-check/app-check-token.test.tsx:92:36)

Hi @nicole0707, sorry that you're suddenly running into issues with this.

I just tried to re-create this error message in my own Firebase web app, but was unsuccessful.
I'd really like to figure out why you're seeing this issue, and reproduce it myself. It would be helpful if you could share:

  • Code snippet of your unit test that raised the error
  • Your environment (any web frameworks, testing frameworks, libraries etc...)
  • Your testing configuration

Also, if you believe this is an issue with Firebase, and not your code, please submit a new issue.

@nicole0707
Copy link

nicole0707 commented Jul 22, 2024

Hi @dlarocque, FYI we are using the Firebase sdk with Next.js, and the testing framework is Jest. I will look into the issue and try to provide a minimal demo to reproduce it. Thanks!

@delmaass
Copy link

Hello Firebase team, my NextJS project won't build because of an exception that seem related to this update:

./node_modules/firebase/analytics/dist/index.mjs + 51 modules
Cannot get final name for export 'trustedResourceUrl' of ./node_modules/safevalues/dist/mjs/index.js

I am using firebase: ^10.12.4

@delmaass
Copy link

Hello Firebase team, my NextJS project won't build because of an exception that seem related to this update:

./node_modules/firebase/analytics/dist/index.mjs + 51 modules
Cannot get final name for export 'trustedResourceUrl' of ./node_modules/safevalues/dist/mjs/index.js

I am using firebase: ^10.12.4

Downgrading to "firebase": "10.12.3" solved the issue

@dlarocque
Copy link
Contributor Author

Hello Firebase team, my NextJS project won't build because of an exception that seem related to this update:

./node_modules/firebase/analytics/dist/index.mjs + 51 modules
Cannot get final name for export 'trustedResourceUrl' of ./node_modules/safevalues/dist/mjs/index.js

I am using firebase: ^10.12.4

Hi @delmaass, thanks for reporting this. As a sanity check, I upgraded my own Next.js app (It's just the template app with basic Firebase usage) to Firebase 10.12.4, but I was not able to reproduce your issue when building or deploying.
If you believe this is an issue caused by the SDK, could you please submit a new Issue in this repo including more details?

I am worried this might cause issues for a lot of Next.js users, but I haven't been able to reproduce any issues myself.

@dlarocque
Copy link
Contributor Author

@nicole0707
I have been able to reproduce your issue with Jest. If you have any additional info that may help us solve this issue, please mention it in
#8386

tom-andersen pushed a commit that referenced this pull request Jul 24, 2024
* Use safevalues to fix trusted types issues reported by tsec

* Upgrade to safevalues 0.6.0

* Remove exemptions, and untested usages of safevalues

* Add dependency that was accidentally removed

* Add FIXMEs for tsec violations

* Run formatting

* Compare against full Gtag script in tests

* Check that full reCAPTCHA script URL was assigned to script element

* Replace FIXMEs with TODOs

* Remove auth, rtdb, messaging from changeset
dlarocque added a commit that referenced this pull request Jul 25, 2024
dlarocque added a commit that referenced this pull request Jul 26, 2024
* Revert "Use safevalues to fix trusted types issues reported by tsec (#8301)"

This reverts commit f58d48c.

* Add Changeset
@dlarocque
Copy link
Contributor Author

Hi @dlarocque, FYI we are using the Firebase sdk with Next.js, and the testing framework is Jest. I will look into the issue and try to provide a minimal demo to reproduce it. Thanks!

Hi @nicole0707, this should be fixed in the next release which will be out by the end of the week.

For more information, see #8395

@nicole0707
Copy link

nicole0707 commented Aug 5, 2024

Hi @dlarocque, FYI we are using the Firebase sdk with Next.js, and the testing framework is Jest. I will look into the issue and try to provide a minimal demo to reproduce it. Thanks!

Hi @nicole0707, this should be fixed in the next release which will be out by the end of the week.

For more information, see #8395

Thanks @dlarocque, I just checked the issue has been fixed in 10.12.5.

@firebase firebase locked and limited conversation to collaborators Aug 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants