Created
April 24, 2015 16:46
-
-
Save kmaglione/1100e14f74cdd05e6654 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Validation process: | |
| 1) If add-on supports Windows, a clean virtual machine snapshot is spawned and runtime validation begins. | |
| 2) Static validation is initiated, with the `listed=False` flag passed to the `validator.validate` method. | |
| 3) Once both processes complete, messages are coalesced into a single list. | |
| 4) Any messages with a type of "error" cause the submission to be immediately rejected, without manual review. The process ends. | |
| 5) Messages are grouped by the value of their `signing_severity` properties. Messages without this property are ignored. | |
| 6) If a previous version has passed manual review, messages with low signing severities are compared against messages in the previous version. | |
| • A message in the submitted version corresponds to a message in a previous version if both messages have: | |
| - The same message ID | |
| - The same filename | |
| - The same code context, as defined by the value of the `context` property. | |
| - [optional] Similar line numbers. Exactly how similar is yet to be determined, and implementing this qualification sensibly may | |
| require somewhat more complicated context analysis. | |
| • Any message in the submitted version with a corresponding message in most-recently-approved version | |
| annotated with the location information of said message for use in the validation viewer, and ignored | |
| by subsequent steps. | |
| 7) The validation output, containing the coalesced list of messages, and any annotations added in above steps, is | |
| saved for the future use of reviewers, and display by the validation results viewer. | |
| 8a) If no messages with a `signing_severity` property remain, the add-on is signed and returned to the requester. | |
| 8b) If any messages remain, the add-on is added to the appropriate manual review queue, and an appropriate status | |
| message is returned to the requester. | |
| signing_severity: | |
| LOW: Triggers manual review only when new or with different context. | |
| MEDIUM: | |
| HIGH: Triggers manual review whenever present. | |
| Static: | |
| Preferences: | |
| • Security: | |
| • Updates | |
| • Network | |
| • Blocklist | |
| • Search/homepage | |
| browser.newtab.url | |
| browser.newtabpage.enabled | |
| browser.search.defaultenginename | |
| browser.startup.homepage | |
| keyword.URL | |
| keyword.enabled | |
| app.update.* | |
| extensions.blocklist.* | |
| extensions.getAddons.* | |
| extensions.update.* | |
| security.* | |
| network.proxy.* | |
| network.http.* | |
| network.websocket.* | |
| Other security: | |
| • Access to nsIX509CertDB, nsIX509CertDB2, nsIX509CertList or "@mozilla.org/security/x509certdb;1", "@mozilla.org/security/x509certlist;1" [DONE] | |
| • nsICertOverrideService or "@mozilla.org/security/certoverride;1" [DONE] | |
| • #identity-box | |
| • netscape.security.PrivilegeManager.enablePrivilege [DONE] | |
| Search service: | |
| • currentEngine/defaultEngine/addEngine(|WithDetails)/removeEngine/moveEngine [STARTED (need tests, better messages)] | |
| Other: | |
| • Override about:newtab | |
| • Changing #searchbar or #search-container | |
| Content interaction: | |
| • Categories: [half] | |
| • JavaScript-global-constructor | |
| • JavaScript-global-constructor-prototype-alias | |
| • JavaScript-global-property | |
| • JavaScript-global-privileged-property | |
| • JavaScript-global-static-nameset | |
| • JavaScript-global-dynamic-nameset | |
| • JavaScript-DOM-class | |
| • JavaScript-DOM-interface | |
| • Writes to properties of `wrappedJSObject` (/`Cu.waiveXrays`/`XPCNativeWrapper.unwrap`) objects | |
| • Including objects obtained via `unsafeWindow`. | |
| • Use of shallow wrappers (`XPCNativeWrapper` with a second argument) [DONE] | |
| • `Cu.cloneInto`, `Cu.exportFunction` [DONE] | |
| • `__exposedProps__` [DONE] | |
| Network: | |
| • Proxy filter | |
| Add-on Manager: | |
| • Install/uninstall | |
| In chrome contexts: | |
| • Remote (or not-provably local?) scripts (including with text content) | |
| • `importScripts` | |
| • <script> nodes | |
| • on* DOM attributes | |
| • href="javascript:..." | |
| • eval/Function, setInterval/setTimeout with strings. | |
| • `evalInSandbox` on sandboxes created with chrome principals. | |
| • innerHTML and friends (?) | |
| System interaction: | |
| • nsIProcess [DONE] | |
| • Registry: Definitely writing keys. Possibly reading. | |
| Native: | |
| • ctypes | |
| • Binary components | |
| Filesystem: | |
| • Accessing anything outside of ProfD/TempD (how do we do this statically?) | |
| • Accessing any important files within the profile (TODO: list of files) | |
| Runtime: | |
| Security: | |
| • Trap calls to setTimeout, setInterval with strings. | |
| • Trap assignments to innerHTML and friends | |
| • Changes to above prefs | |
| • Writes to FS outside of profile directory. | |
| • Network requests from outside of content code containing browsing history. | |
| Debugger script creation: | |
| • eval and Function within chrome scopes | |
| • Creation of script nodes by add-on code: | |
| • Remote URLs or text content in chrome scopes | |
| • Script nodes with text content, or from non-secure HTTP URLs in content. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment