Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Create custom detectSnapLocation to install Snap from NPM on Android #6052

Closed
wants to merge 107 commits into from
Closed

[Feature] Create custom detectSnapLocation to install Snap from NPM on Android #6052

wants to merge 107 commits into from

Conversation

owencraston
Copy link
Contributor

Development & PR Process

  1. Follow MetaMask Mobile Coding Standards
  2. Add release-xx label to identify the PR slated for a upcoming release (will be used in release discussion)
  3. Add needs-dev-review label when work is completed
  4. Add needs-qa label when dev review is completed
  5. Add QA Passed label when QA has signed off

Description

Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions,
1. What is the reason for the change?
2. What is the improvement/solution?

Screenshots/Recordings

If applicable, add screenshots and/or recordings to visualize the before and after of your change

Issue

Progresses https://github.com/MetaMask/mobile-planning/issues/731

Checklist

  • There is a related GitHub issue
  • Tests are included if applicable
  • Any added code is fully documented

@github-actions
Copy link
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@owencraston owencraston changed the base branch from main to feat/snaps-system-integration March 27, 2023 19:54
@owencraston owencraston force-pushed the decompress-snap-tarball-android branch 2 times, most recently from c9ff240 to 9aafe26 Compare March 28, 2023 04:03
@owencraston owencraston force-pushed the decompress-snap-tarball-android branch from e01cb06 to a079a27 Compare April 11, 2023 22:06
@socket-security
Copy link

socket-security bot commented Apr 21, 2023
edited
Loading

New dependency changes detected. Learn more about Socket for GitHub ↗︎

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

⚠️ Critical CVE

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Package CVE Source
[email protected] (upgraded) GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscore (CRITICAL) package.json via [email protected]
[email protected] (upgraded) GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscore (CRITICAL) package.json via [email protected]
[email protected] (added) GHSA-hr2v-3952-633q Prototype Pollution in deep-extend (CRITICAL) package.json via [email protected]
[email protected] (added) GHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quote (CRITICAL) package.json via [email protected], [email protected]
⚠️ CVE

Contains a high severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Package CVE Source
[email protected] (upgraded) GHSA-h4hr-7fg3-h35w Denial of service in prismjs (HIGH) package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
[email protected] (upgraded) GHSA-gj77-59wh-66hg Regular Expression Denial of Service (ReDoS) in Prism (HIGH) package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
[email protected] (upgraded) GHSA-wvhm-4hhf-97x9 Cross-Site Scripting in Prism (HIGH) package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
[email protected] (upgraded) GHSA-3949-f494-cm99 Cross-site Scripting in Prism (HIGH) package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
[email protected] (added) GHSA-rc47-6667-2j5j http-cache-semantics vulnerable to Regular Expression Denial of Service (HIGH) package.json via [email protected]
[email protected] (upgraded) GHSA-x6fg-f45m-jf5q Regular Expression Denial of Service in semver (HIGH) package.json via [email protected]
[email protected] (upgraded) GHSA-9vvw-cc9w-f27h debug Inefficient Regular Expression Complexity vulnerability (HIGH) package.json via [email protected]
[email protected] (upgraded) GHSA-rp65-9cf3-cjxr Inefficient Regular Expression Complexity in nth-check (HIGH) package.json via [email protected], [email protected]
⚠️ Mild CVE

Contains a low severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Package CVE Source
[email protected] (upgraded) GHSA-pfrx-2q88-qq97 Got allows a redirect to a UNIX socket (MODERATE) package.json via [email protected]
[email protected] (upgraded) GHSA-vfrc-7r7c-w9mx Prototype Pollution in highlight.js (MODERATE) package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
[email protected] (added) GHSA-pp7h-53gx-mx7r Remote Memory Exposure in bl (MODERATE) package.json via [email protected]
[email protected] (upgraded) GHSA-gxpj-cx7g-858c Regular Expression Denial of Service in debug (LOW) package.json via [email protected]
[email protected] (upgraded) GHSA-7wwv-vh3v-89cq ReDOS vulnerabities: multiple grammars (MODERATE) package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
[email protected] (upgraded) GHSA-7wwv-vh3v-89cq ReDOS vulnerabities: multiple grammars (MODERATE) package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
[email protected] (added) GHSA-wrw9-m778-g6mc Memory Exposure in bl (MODERATE) package.json via [email protected]
[email protected] (upgraded) GHSA-hqhp-5p83-hx96 prismjs Regular Expression Denial of Service vulnerability (MODERATE) package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package Script field Source
[email protected] (upgraded) postinstall package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected]
[email protected] (added) postinstall package.json via [email protected]
⚠️ Filesystem access

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Package Module Location Source
[email protected] (added) fs dev/cssToJS.js package.json via @metamask/[email protected]
[email protected] (added) fs dev/jsonToCLASS_.js package.json via @metamask/[email protected]
[email protected] (added) fs dev/jsonToLESS.js package.json via @metamask/[email protected]
[email protected] (added) fs src/apg-conv/apg-conv.js package.json via @metamask/[email protected]
[email protected] (added) fs src/apg/apg.js package.json via @metamask/[email protected]
[email protected] (added) fs src/apg/command-line.js package.json via @metamask/[email protected]
[email protected] (upgraded) fs lib/cache.js package.json
[email protected] (upgraded) fs index.js package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @testing-library/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (upgraded) fs lib/util/version.js package.json via @react-native-community/[email protected]
[email protected] (added) fs index.js package.json via @wdio/[email protected]
[email protected] (upgraded) fs glob.js package.json via [email protected], [email protected]
[email protected] (upgraded) fs sync.js package.json via [email protected], [email protected]
[email protected] (upgraded) fs dist/cjs/src/opts-arg.js package.json via @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], [email protected], [email protected], [email protected]
[email protected] (upgraded) fs dist/cjs/src/use-native.js package.json via @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], @wdio/[email protected], [email protected], [email protected], [email protected]
[email protected] (upgraded) fs dist/index.js package.json via [email protected]
[email protected] (upgraded) fs dist/sourcemap-register.js package.json via [email protected]
[email protected] (added) fs install.js package.json via [email protected]
[email protected] (upgraded) fs lib/renderer/png.js package.json via [email protected]
[email protected] (upgraded) fs lib/renderer/svg.js package.json via [email protected]
[email protected] (upgraded) fs lib/renderer/utf8.js package.json via [email protected]
[email protected] (upgraded) fs dist/readFile.js package.json via @react-native-clipboard/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-cookies/[email protected], @react-native-masked-view/[email protected], @react-native-picker/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @rnhooks/[email protected], @segment/[email protected], @segment/[email protected], @sentry/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @testing-library/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (upgraded) fs dist/readFileSync.js package.json via @react-native-clipboard/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-cookies/[email protected], @react-native-masked-view/[email protected], @react-native-picker/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @rnhooks/[email protected], @segment/[email protected], @segment/[email protected], @sentry/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @testing-library/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (upgraded) fs dist/writeBinaryFile.js package.json via @react-native-clipboard/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-cookies/[email protected], @react-native-masked-view/[email protected], @react-native-picker/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @rnhooks/[email protected], @segment/[email protected], @segment/[email protected], @sentry/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @testing-library/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (upgraded) fs dist/writeBinaryFileSync.js package.json via @react-native-clipboard/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-cookies/[email protected], @react-native-masked-view/[email protected], @react-native-picker/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @rnhooks/[email protected], @segment/[email protected], @segment/[email protected], @sentry/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @testing-library/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (upgraded) fs dist/writeFile.js package.json via @react-native-clipboard/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-cookies/[email protected], @react-native-masked-view/[email protected], @react-native-picker/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @rnhooks/[email protected], @segment/[email protected], @segment/[email protected], @sentry/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @testing-library/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (upgraded) fs dist/writeFileSync.js package.json via @react-native-clipboard/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-community/[email protected], @react-native-cookies/[email protected], @react-native-masked-view/[email protected], @react-native-picker/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @react-navigation/[email protected], @rnhooks/[email protected], @segment/[email protected], @segment/[email protected], @sentry/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [@testing-library/[email protected]](https://socket.dev/npm/package/@testing-library/react-native/overview/11.5.

@owencraston owencraston mentioned this pull request Apr 21, 2023
Open
@owencraston owencraston changed the base branch from feat/snaps-system-integration to flask April 27, 2023 23:50
gantunesr and others added 25 commits April 27, 2023 18:08
@gantunesr @owencraston
Remove logs
4878832
@gantunesr @owencraston
Update structure
f936a25
@gantunesr @owencraston
Revert "Remove logs"
de43e3b 
This reverts commit 106523e.
@gantunesr @owencraston
Solve merge bugs
0e5c6ad
@gantunesr @owencraston
Integrate PS
dac0135
@gantunesr @owencraston
Fix imports
0e5b9ed
@gantunesr @owencraston
Update snaps-controller package
a095e57
@gantunesr @owencraston
Update snaps-controller package
d2dd581
@gantunesr @owencraston
Update patch
f07d769
@owencraston
[FEATURE] Create detectSnapLocation method to install a Local Snap (#…
983fd67 
…5923)

* Local snaps install with controller version 0.26.2
@gantunesr @owencraston
Integrate SubjectMetadataController
99ed491
@owencraston
[FEATURE] Create detectSnapLocation method to install a Snap From NPM…
ef1a031 
… iOS (#5926)

* Install a Snap From NPM iOS

- Create NPMLocation class
- Create a custom fetch function for the npm logic as we have slightly
  different logic
- create a swift native module to read a .tgz file and decompress it
- read the decompressed folder data and pass it to snaps
- swiftlint
@owencraston
Install snap from a Dapp (#6002)
4c43310 
- extract icon from tar file
- show request permissions for install snap and account access
- move snap webview to the root of the app and make it invisible
- create RPC method handlers to register snaps rpc methods
@owencraston
[Patch fix] Android build for snaps integration system (#6053)
2ed6c76 
* swap for rn-fetch-blob

* remove unused file
@owencraston @gantunesr
[Feature] execute snaps methods from Dapp on iOS (#6049)
b91fe80 
* Remove custom handlers and add PermissionMiddleware to SnapBridge RPC engine

* exportMnemonic

* Polyfill TextEncoder

* slightly better UX

* Add SnapMethodMiddleware to SnapBridge

* fetch files based on manifest location

* check source shasum

---------

Co-authored-by: Gustavo Antunes <[email protected]>
@owencraston
add native module
dcd70e3
@owencraston
wip decompresstgz
b370333
@owencraston
use apache compress and return value
bfc7f3e
@owencraston
debugging
53de063
@owencraston
debug more
213c5f8
@owencraston
closer
f13c34e
@owencraston
native module working
12d8ee7
@owencraston
remove useless code
67bdd2f
@owencraston
try and use react-native-blob-utils
e3f16e5
@owencraston
pin version
8395f96
@owencraston owencraston force-pushed the decompress-snap-tarball-android branch from 5310f32 to 8395f96 Compare April 28, 2023 01:40
@owencraston
Copy link
Contributor Author

This branch got corrupted in a rebase so I am closing it in favour of #6300

@owencraston owencraston deleted the decompress-snap-tarball-android branch April 28, 2023 18:30
@github-actions github-actions bot locked and limited conversation to collaborators Apr 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@owencraston @gantunesr @andrepimenta